0

I've seem to be stuck. I come from a mostly POSIX background, & thrown into the deep-end on this one, so learning as I go along - so not sure if there's no solution, or if it's my own Dunning-Kruger at play.

Setup:
(Trying to keep as much of the back-end FLOSS, non-FLOSS only where can't escape)

  • Running a CentOS (7) server
  • Samba (4) Active Directory domain (Sernet repo) - replicated cluster
  • W764-64 & W10p-64 testing VM's
  • W10p-64 admin VM
  • N windows desktops in several "departments"

So far it all looks OK: got basic, stable setup as per docs, pushed out some basic GPO's to network (eg. create a file in %TEMP%, or alike), so can confirm that basic GPO creation & permissions are OK.
gpupudate et al is all good.

What I now need to do is better target GPO's & test impact on smaller subset of desktops before deploying throughout the entire org.

What what I can gather (& this is where the limits of my w32-knowledge comes sharply into focus), this is achieved by creating & applying a WMI filter to said GPO.
From what I gather it seems to be a pretty vanilla SQL or SQL-like syntax, and the suggested manner of creating such statements is to use WMI Explorer to explore Namespaces & build said targeting queries. (quite nice actually)

Obviously the tool can poll localhost namespaces absolutely fine, but when I try to connect it to the DC's, I fail, as there is no WMI or RPC on a Linux/POSIX box to speak of (which seems obvious, but trying not to make too many assumptions).

This leaves me in a precarious position - I need to do what seems to be pretty normal sysadmin work, but Samba does not seem to support WMI (& the wiki seems to bear this out) which windows seems to rely heavily on & make extensive use of.
But I still need to find a good/stable way to take a more targeted & nuanced approach to deploying controls to a large number of hosts, and the assumed/suggested resources fall far short of the mark.

Workshop
  • 21
  • 3

2 Answers2

1

Along with the suggestion to use Organizational Units to target your Group Policy objects, you can also use Security Filtering in the applicable GPO's to have them apply to only specific computers and/or users. You'd simply remove Authenticated Users from the Security Filtering of the GPO and add the relevant computer or user accounts, or more preferably, the security groups of which the desired computer or user accounts are members. This is a lot simpler, straightforward and intuitive than using WMI filters.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • thanks - OU's seems the simplest, although it limits options to a linear hierarchy, so to speak. I've tried the WMI filtering, and seems the 'better' solution, although I now need to delve into the SQL syntax. My general SQL is OK, but I've not yet used it in this context, so finding the right context has been tricky. thanks for the pointers though – Workshop Jun 18 '16 at 23:08
0

I am not sure you are looking at this from the right angle. AFAIK each desktop pulls the filter from the directory and then checks if the GPO should be applied or not. It's not that the server actively allocates GPOs only to a limited number of desktops. So, doesn't sound like a Samba issue. And that you cannot use WMI to query a Linux machine should be quite clear.

By the way, you can also create a subset of laptops manually, by putting them in a separate OU - no need to fiddle with WMI filters.

vic
  • 973
  • 1
  • 9
  • 21