- 1 Samba AD management from Windows
- 2 Setting Up Roaming Profiles
- 3 Adding Organization Units (OU) Into a Samba Domain
- 4 Implementing Group Policies (GPO) in A Samba Domain
Samba AD management from Windows
We need install Windows 2003 Adminpak into Windows XP in order to use GUI tools to manage the domain. Before you begin, make sure that the domain administrators have administrative rights to control your computer.(To give any user administrative rights in Windows XP Pro, right click My Computer, select Manage-> choose Groups-> double click Administrators and add members from domain into the member list. When you add members from Active Directory, it will prompt you to enter an Active Directory username and password).
Step 1: Installing Windows Remote Administration Tools onto Windows
- Download the Windows Remote Administration Tools from:
- Follow the "Install RSAT" instructions
- Note: After installing, you have to enable the features in "Turn Windows features on or off" in "Programs" of the Control Panel!).
Windows XP Pro
Administration Tools Pack & Support Tools
- Download adminpak and supporttools from:
- If you installed an older version of the adminpak, you'll notice the dial-in tab is missing from property pages. Just follow the link above to get SP2 which does not have this issue.
- Run through the installation.
- Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.
- Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.
Group Policy Management Console
- You may also find the Group Policy Management Console useful. You can download it from
- This is primarily useful when you have larger installs and are managing many machines. You may need to download the .NET Framework first.
Step 2: Viewing Samba Active Directory Content
- When logged on as a Domain Administrator, start the Active Directory Users and Computers Snap-In, either by clicking Start -> Programs\Administrative Tools\Active Directory Users and Computers, or by clicking Start -> Run 'dsa.msc'
- Expand the samdom.example.com tree to see existing objects in the domain.
- Note: You can also manage users using the normal Windows AD user management tools.
Setting Up Roaming Profiles
1. You will need to create a share for the profiles, typically named profiles. Edit the /usr/local/samba/etc/smb.conf to include:
[profiles] path = /usr/local/samba/var/profiles read only = no
2. Create the directory above using:
$ sudo mkdir /usr/local/samba/var/profiles
3. In Windows, start Active Directory Users and Computers, select all the users, right click, and hit properties
4. Under the profile tab, in the Profile path, type the path to your share along with %USERNAME% as follows:
5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.
- Note: An excellent walk-through on configuring Roaming Profiles and Folder Redirection is available here.
- For more information on implementing roaming profiles, refer to the Implementing Roaming Profiles section of the wiki.
Adding Organization Units (OU) Into a Samba Domain
The Organizational Unit (OU) is a powerful feature in Active Directory. This is a type of container which allows you to drag & drop users and/or computers into it.
We can link several types of group policies to an OU, and the settings will push out to all users/computers that sit under the OU. Withing a single domain, you can have as many OUs and sub-OUs as you'd like. The result is that it can greatly reduce administrative overhead since you are able to manage everything via an OU. The implementation of Group Policy will be discussed in the next chapter.
Before we create an OU, we must know what one looks like. By default we can see a sample OU called 'Domain Controllers', which uses a different icon in the Windows management tools than the 'users' and 'computers' containers. We can deploy Group Policy to the users or the computers container.
- To create an OU as the Domain Administrator, click Start -> Run -> dsa.msc
- Right click your domain.
- Select New -> Organizational Unit
- Type 'OU Demo'
- You will see a new OU appear, with the name 'OU Demo'.
- You can drag the user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!).
- Right click 'OU Demo', A sub-OU can be created with New -> Organizational Unit.
Normally OUs are created according to the department setup of your organization. Be careful not to confuse Groups and OUs. Groups are used to control permissions, OUs are used for deploying settings to all users/computers within the OU.
Implementing Group Policies (GPO) in A Samba Domain
Samba Active Directory has support for Goup Plicies, and can create the Goup Plicy on the fly. The basic idea of Goup Plicies is:-
- Group Policies have two kinds of settings: computers and users.
- Computer settings apply to computers, while user settings apply to users.
- We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.
- To add a group policy, right click 'OU Demo' OU->properties.
- Choose group policy.
- Press new, and name it as 'GP Demo'.
- Press edit to modify the policy.
- Here will demonstrate how to block users from access to the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'Control Panel'.
- Double click on 'Prohibit access to the Control Panel'.
- Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.
- Make sure that the user 'demo' is inside the 'OU Demo' (You can drag and drop it).
- Logout and login as user 'demo'.
- You'll find user demo is not able to access control panel.
- User configuration will take effect once you logout and login.
- Computer configuration will take effect when you restart the computer.
- GPO Password Policies are not read by Samba when assigning passwords, to change the policy that Samba uses you must use samba-tool domain passwordsettings
To learn more about managing and implementing organizational units, group policies, and Active Directory, try a web search for Google in Windows 2003 Active Directory implementation.