huddlZddlZddlmZddlZddlZddlmcm Z ddl Z ddl Z ddl mZddlmZmZmZmZddlmZddlmZddlmZddlmZmZddlmZddlZddl Zdd l mZm Z m!Z!dd l"m#Z#dd lm$Z$dd l%m&Z'dd lm(Z(ddl)Z)ddl*m+Z+ddlm,Z,ddl-m.Z.ddl/m0Z0m1Z1m2Z2ddl3m4Z4ddl5m6Z6m7Z7m8Z8m9Z9ddl:m;Z;ddlm?Z?ddlm@Z@ddl"mAZAddlBmCZCmDZDddlEmFZFddlGmHZHmIZIddlJmKZKmLZLddlMZMddlNZNddlOmPZPddlQmRZRmSZSmTZTmUZUmVZVddlWmXZXmYZYmZZZdd l[m\Z\dd!l]m^Z^dd"l_m`Z`maZambZbd#Zcd$Zdd%Zed&Zfdd'Zgdddejejzejzejzfd(Zld)Zmd*Znd+Zoejfd,Zqd-Zre'je'jze'jze'jzZwd.Zx dd/ZyGd0d1eZzGd2d3ezZ{Gd4d5ezZ|Gd6d7ezZ}Gd8d9ezZ~Gd:d;ezZGd<d=ezZGd>d?ezZGd@dAezZGdBdCezZGdDdEezZGdFdGezZGdHdIezZGdJdKezZGdLdMezZGdNdOeZGdPdQezZGdRdSezZGdTdUeZGdVdWezZGdXdYeZGdZd[ezZGd\d]eZGd^d_ezZGd`daeZGdbdceZGdddeeZGdfdgezZGdhdieZGdjdkeZGdldmezZGdndoezZGdpdqeZGdrdseZGdtduezZGdvdwezZGdxdyeZGdzd{eZGd|d}ezZGd~deZGddeZGddezZGddezZGddeZGddeZGddeZGddezZGddeZGddeZGddezZGddeZGddeZGddezZGddezZGddeZGddeZGddeZGddeZGddeZGddeZGddeZy)N)system_session)Command CommandErrorOption SuperCommand)SamDB)dsdb)security) ndr_unpackndr_pack)preg) AUTH_SESSION_INFO_DEFAULT_GROUPSAUTH_SESSION_INFO_AUTHENTICATED#AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) netcmd_finddc)policy)libsmb_samba_internal) NTSTATUSError) dsacl2fsacl)nbt)Net)GPParserGPNoParserExceptionGPGeneralizeException) GPPolParser) GPIniParser GPTIniParserGPFDeploy1IniParserGPScriptsIniParser)GPAuditCsvParser)GptTmplInfParser) GPAasParser)param) attr_default) get_bytes get_string) ConfigParser)StringIOBytesIO) calc_modestat_from_mode) str_regtype)NT_STATUS_OBJECT_NAME_INVALIDNT_STATUS_OBJECT_NAME_NOT_FOUNDNT_STATUS_OBJECT_PATH_NOT_FOUNDNT_STATUS_OBJECT_NAME_COLLISIONNT_STATUS_ACCESS_DENIED)create_directory_hiersmb_connection get_gpo_dn)RegistryGroupPolicies) REG_MULTI_SZ)register_gp_extensionlist_gp_extensionsunregister_gp_extensionc^tj|}|sd}|Sdj|}|S)zreturn gpo flags stringNONE )r get_gpo_flagsjoin)valueflagsrets 2/usr/lib/python3/dist-packages/samba/netcmd/gpo.pygpo_flags_stringrC[s5   'E  Jhhuo Jc^tj|}|sd}|Sdj|}|S)zreturn gplink options stringr;r<)rget_gplink_optionsr>)r?optionsrAs rBgplink_options_stringrHes6''.G  Jhhw JrDc8g}|jdk(r|S|jd}|D]l}|s|jd}t|dk7s|djdst d|z|j |ddd t |d d n|S) z.parse a gPLink into an array of dn and options];rz[LDAP://zBadly formed gPLink '%s'NdnrG)stripsplitlen startswith RuntimeErrorappendint)gplinkrAagds rB parse_gplinkr]os C ||~  SA ;  GGCL q6Q;adooj99A=> > !A$qr(s1Q4y9: ; JrDc6djd|D}|S)z4Encode an array of dn and options into gPLink stringrJc36K|]}d|d|dfzyw)z[LDAP://%s;%d]rQrGN).0r[s rB z encode_gplink..s#M"agq|%<<Ms)r>)gplistrAs rB encode_gplinkrds ''MfM MC JrDcl|| t||}d|z}|S#t$r}td|d}~wwxYw)zjIf URL is not specified, return URL for writable DC. If dc is provided, use that to construct ldap URLNzCould not find a DC for domainldap://)r ExceptionrV)lpcredsurldces rBdc_urlrmsR { : H"2u-"n J H"#CQGG Hs  3 .3c|j}|jtj|d|}d}tj}|dtj |z}|dtj |z}||}tj } |j|||gdd|zg} | S#t$r} |d |z} nd } t| | d} ~ wwxYw) z0Get GPO information using gpo, displayname or dnzCN=Policies,CN=Systemz"(objectClass=groupPolicyContainer)Nz.(&(objectClass=groupPolicyContainer)(name=%s))z5(&(objectClass=groupPolicyContainer)(displayname=%s)))nTSecurityDescriptor versionNumberr@name displayNamegPCFileSysPathgPCMachineExtensionNamesgPCUserExtensionNames sd_flags:1:%d)basescope expressionattrscontrolsz!Cannot get information for GPO %szCannot get information for GPOs) get_default_basedn add_childldbDnSCOPE_ONELEVEL binary_encode SCOPE_BASEsearchrgr) samdbgpo displaynamerQsd_flags policies_dnbase_dn search_expr search_scopemsgrlmesgs rB get_gpo_infors**,K#&&(?@AG6K%%L FIZIZ[^I__ MPSPaPabmPnn  ~~~ $ll|&1";&5x%?$@ B$ J $ ?6BBCs/'E :E, E)E$$E), F5 FFcg}|jdr|ddjdd}n&|jdr|ddjdd}t|dk7rtd|z|S) z;Parse UNC string into a hostname, a service, and a filepath\\rMN\z///zInvalid UNC string: %s)rUrSrT ValueError)unctmps rB parse_uncrsl C ~~f!"gmmD!$  !"gmmC# 3x1}1C788 JrDctjd||r tStjd||r tStjd||r t Stjd||r t Stjd||r t Stjd||r t Stjd||r tStjd ||r tStjd ||r tStjd ||r tStS) Nzfdeploy1\.ini$r@z audit\.csv$z GptTmpl\.inf$z GPT\.INI$z scripts\.ini$zpsscripts\.ini$z GPE\.INI$z.*\.ini$z.*\.pol$z.*\.aas$) rematchrr r!rrrrrr")rqr@s rB find_parserrs xx!4u5"$$ xxE2!! xx $e4!! xx d%0~ xx $e4!## xx"D6!## xx d%0 z xx T/} xx T/} xx T/} :rDcd}tjj|stj||g}|g}|r?|j }|j }|j |t }|jd|D]} |dz| dz} tjj|| d} | dtjzr8|j| |j| tj| |j| } t| |zd5} | j| dddt| d}|j!| |j#| d z|r>yy#1swYDxYw) N .SAMBABACKUPattribsc |dSNrqr`xs rBz2backup_directory_remote_to_local..+ AfIrDkeyrrqattribwb.xml)ospathisdirmkdirpoplist attr_flagssortr>libsmbFILE_ATTRIBUTE_DIRECTORYrWloadfileopenwriterparse write_xml)conn remotedirlocaldirSUFFIXr_dirsl_dirsr_dirl_dirdirlistrlr_namel_namedatafparsers rB backup_directory_remote_to_localr sK F 77== " ]F\F   ))E:)6 - . 2AT\AfI-FWW\\%63F{V<<< f% f% }}V,&6/40"AGGDM"%QvY/ T"  &1 2  ""s +FF cvtjj|stj||g}|g}|r|j }|j }|j |t }|jd|D]}|dz|dz} tjj||d} |dtjzr8|j| |j| tj| |j| } t| dj| |ryy)Nrc |dSrr`rs rBrz0copy_directory_remote_to_local..NrrDrrrqrr)rrrrrrrrr>rrrWrrr) rrrrrrrrrlrrrs rBcopy_directory_remote_to_localrDs 77== " [FZF   ))E:)6 - . /AT\AfI-FWW\\%63F{V<<< f% f% }}V,VT"((. / rDc|j|s|j||g}|g}|r|j}|j}tj|} | j | D]} tj j|| } |dz| z} tj j| r5|j| |j|  |j| |r |j| t| dj} |j| | |r yy#t$r|sYwxYw#t$rYQwxYw)Nrrb)chkpathrrrlistdirrrr>rrWrrrreadsavefile)rrrignore_existing_dirkeep_existing_filesrrrrrrlrrrs rBcopy_directory_local_to_remoter\s6 << " 9ZF[F   **U#  ,AWW\\%+FT\A%Fww}}V$ f% f%JJv& ' f- FD)..0 fd++ , %./)s$ D;5E ; E  E  EEceZdZdZdZy) GPOCommandcx|.tj}td|z|jtj j |std|ztj j|d}tj j |st j|tj j||}tj j |rtd|z t j|||fS#ttf$r}td|d}~wwxYw)aEnsure that the temporary directory structure used in fetch, backup, create, and restore is consistent. If --tmpdir is used the named directory must be present, which may contain a 'policy' subdirectory, but 'policy' must not itself have a subdirectory with the gpo name. The policy and gpo directories will be created. If --tmpdir is not used, a temporary directory is securely created. Nz5Using temporary directory %s (use --tmpdir to change))filez'Temporary directory '%s' does not existrz8GPO directory '%s' already exists, refusing to overwritez%Error creating teporary GPO directory) tempfilemkdtempprintoutfrrrrr>rIOErrorOSError)selftmpdirrrgpodirrls rBconstruct_tmpdirzGPOCommand.construct_tmpdirs >%%'F IFRyy "ww}}V$H6QR R77<<1ww}}X& HHX h, 77== JVSU U K HHV v~! KFJ J KsDD9( D44D9c t|jt|j|j|_y#t $r}td|jz|d}~wwxYw)z$make a ldap connection to the serverrj session_info credentialsrhzLDAP connection to %s failed N)rrjrrirhrrgr)rrls rB samdb_connectzGPOCommand.samdb_connectsY N488,:,<+/::$''CDJ N>I1M M Ns:= A$AA$N)__name__ __module__ __qualname__rrr`rDrBrrs!FNrDrceZdZdZdZej ejejdZ e ddde dd gZ d d Z y ) cmd_listallzList all GPOs.%prog [options] sambaopts versionoptscredopts-H--URL%LDB URL for database or target serverURLHhelptypemetavardestNc B|j|_|j|jd|_t |j|j||_|j t|jd}|D]}|jjd|ddz|jjd|ddz|jjd|d dz|jjd |jz|jjd t|d d z|jjdttt|ddz|jjdy)NTfallback_machineGPO : %s rqrdisplay name : %s rrpath : %s rsdn : %s version : %s rp0flags : %s r@ ) get_loadparmrhget_credentialsrirmrjrrrrrrQr$rCrX)rrrr rrrs rBrunzcmd_listall.runsF((*--dgg-M $''4::q1 4::t, "A IIOO1AfIaL@ A IIOO1Am4DQ4GG H IIOO1A6F4G4JJ K IIOO1ADD8 9 IIOO1LOUX4YY Z IIOO14DSVWY`bcIdEe4ff g IIOOD ! "rDNNNNrrr__doc__synopsisrG SambaOptionsVersionOptionsCredentialsOptionstakes_optiongroupsrr takes_optionsr!r`rDrBrrsT H))--.. tW#JQT3 (M "rDrceZdZdZdZdgZejejejdZ e ddde dd gZ d d Zy )cmd_listzList GPOs for an account.z&%prog [options] accountnamerr r r r rrNc |j|_|j|jd|_t |j|j||_|j  |jjdtj|dtj|d}|dj} |jj|tjd g d}d |d v}tt z} |j $|j j#d r | t$z} t&j(j+|j|j|| } | j,} g} d} tj.|jt1|j3} |jj|tjddg d}d|vrt5t1|dd}|D]}| s|dt6j8zs|dt6j:zr4 t<j>t<j@zt<jBz}|jj|dtjgdd|zg}|ddd}tEt<jF|} t&j<jM|| t<jNt<jPzt<jRztWtY|ddd}|r|t6jZzrD|s|t6j\zr[| j_|ddd|dddftWtY|dd}|t6j`zrd} ||jjck(rn|j3}0|rd }nd}|jHjKd|d|d | D]*}|jHjKd!|dd|d"d ,y#t$rtd|zwxYw#t$rtd |zwxYw#t$r%|jHjKd|dzYwxYw#tT$r,|jHjKd|jzYwxYw)#NTrz(&(|(samAccountName=z)(samAccountName=z$))(objectClass=User)))ryrzFailed to find account %s objectClass)rwrxrzcomputerz!Failed to find objectClass for %sldap)lp_ctxrQsession_info_flagsr gPOptionsrGrQ)rqrrr@rorv)rwrxrzr{roz8Failed to fetch gpo object with nTSecurityDescriptor %s zFailed access check on %s r@rrrqFuserz GPOs for r<rz rO)2rrhr rirmrjrrrr~rrQrgrrrrrUrsambaauth user_sessionsecurity_tokenrrparentr]r GPLINK_OPT_ENFORCEGPLINK_OPT_DISABLEr SECINFO_OWNER SECINFO_GROUP SECINFO_DACLr descriptorrr access_checkSEC_STD_READ_CONTROL SEC_ADS_LISTSEC_ADS_READ_PROPrVrXr$GPO_FLAG_MACHINE_DISABLEGPO_FLAG_USER_DISABLErWGPO_BLOCK_INHERITANCEr|)rr-rrr rruser_dn is_computerr3sessiontokengposinheritrQglistr[rgmsg secdesc_ndrsecdescr@ gpoptionsmsg_strs rBr!z cmd_list.runs((*--dgg-M $''4::q1  J**##%(%6%6{%CSEVEVWbEc0e#fC!fiiG  R**##}o#^_`aC$M(::K?=> 88 DHH$7$7$? "E E **))$**TWW=O*Q&& VVDJJG - 4 4 6**##3>>(T_I`#abcdC3$SXq)9%:;$QA"AiL4;R;R,R |d&=&==  !$,$:$:$,$:$:%;$,$9$9%: $zz00agS^^8P;JX;U:V 1 X'+1g.D&Ea&H ",X-@-@+"N !33GU4<4Q4Q4<4I4I5J4<4N4N5OP T!Wgq ABE"0M0M(M &ED4N4N,N KKa!7!:DGFOAI4555TZZ2244Bcf  GG g{CD :A IIOOQqT1Q48 9 :g J:[HI I J RB[PQ Q RN%! (c()$)01 !(! (E(NO !s?/AQ7QB Q:AR+QQ7:*R('R(+1S S r")rrrr$r% takes_argsrGr&r'r(r)rrr*r!r`rDrBr,r,sY#7HJ))--.. tW#JS 2M a:rDr,ceZdZdZdZej ejejdZ dgZ e dde gZ d d Zy) cmd_showzShow information for a GPO.%prog [options]rrr r rrNc  |j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_|j t|j|d} |dd}ttj|} | j!} |j"j%d |d dz|j"j%d |d dz|j"j%d|ddzd|vr$|j"j%d|ddzd|vr$|j"j%d|ddz|j"j%d|j&z|j"j%dt)|ddz|j"j%dt+t-t)|ddz|j"j%d| zt/|d|j|j} |jj1d} dj3| j5d|d g} g}d!D]} tt6j8| j;| |z}|jHD]}|jJd#k(ri}|jL|d$<|jJ|d%<||d&<tO|jP|d'<|jR|d(<tQ|d(tTk(r\|jPtVk(r8|d(jYd)}|j[d*j]d*|d(<nt_|d(|d(<|ja|"|j"j%d+tcjd||j"d,-|j"j%d.y#t$rtd|zwxYw#t$rd } YpwxYw#t<$rM}|j>dt@tBtDfvrYd}~|j>dtFk(r td"d}~wwxYw)/NTrrfrkrGPO '%s' does not existrozrrqrrrrrsrtzMachine Exts : %s ruzUser Exts : %s rrrprrr@zACL : %s sysvolrhrirealmrPoliciesz%s\Registry.pol)MACHINEUSER:The authenticated user does not have sufficient privilegesz **delvals.keyname valuenameclassrrz utf-16-lezPolicies : )indentr)3rrhr rirUrjrrmrrrrgrr r r@as_sddlrrrQr$rCrXr3getr>rr rrrargsr-r.r/r1entriesrerdr,rrbytesr6decoderstriprSrrWjsondump)rrrrr r dc_hostnamerrPrQ secdesc_sddlrr_pol_file policy_defs policy_classpol_datarlentrydefsrs rBr!z cmd_show.runZsC((*--dgg-M  i(AB%KDH'? -M0B10EEF -4D0Ea0HHI % , IIOO1C8R4STU4VV W "c ) IIOO1C8O4PQR4SS T -67 - S/SV0WWX -0@\RUW^`aEbAc0dde - <=k&!%$(JJ0  G$99ekkmZ 245 / )L %dii&*mmH|4K&LN")) )??l2"'--Y$)OO[! ,W *5::6V $zzV V %.zz\1#F|22;?'+{{6':'@'@'HV '+DL'9V ""4(! ) )> *+ +tyy3 C @83>? ? @ &%L &:! 66!9!>!@!@!BB66!9 77&(HII s<0Q 2Q ,Q0Q Q-,Q-0 S9 S"SSr"rrrr$r%rGr&r'r(r)rTrrr*r!r`rDrBrVrVIsT%&H))--.. J tALMRrDrVc eZdZdZdZej ejejdZ dgZ e dde e dd e e d d d d gde dd dd gde ddddgZ ddZy)cmd_loadaLoad policies onto a GPO. Reads json from standard input until EOF, unless a json formatted file is provided via --content. Example json_input: [ { "keyname": "Software\Policies\Mozilla\Firefox\Homepage", "valuename": "StartPage", "class": "USER", "type": "REG_SZ", "data": "homepage" }, { "keyname": "Software\Policies\Mozilla\Firefox\Homepage", "valuename": "URL", "class": "USER", "type": "REG_SZ", "data": "google.com" }, { "keyname": "Software\Microsoft\Internet Explorer\Toolbar", "valuename": "IEToolbar", "class": "USER", "type": "REG_BINARY", "data": [0] }, { "keyname": "Software\Policies\Microsoft\InputPersonalization", "valuename": "RestrictImplicitTextCollection", "class": "USER", "type": "REG_DWORD", "data": 1 } ] Valid class attributes: MACHINE|USER|BOTH Data arrays are interpreted as bytes. The --machine-ext-name and --user-ext-name options are multi-value inputs which respectively set the gPCMachineExtensionNames and gPCUserExtensionNames ldap attributes on the GPO. These attributes must be set to the correct GUID names for Windows Group Policy to work correctly. These GUIDs represent the client side extensions to apply on the machine. Linux Group Policy does not enforce this constraint. {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is provided by default, which enables most Registry policies. rWrrr r rX --contentJSON file of policy inputs--machine-ext-namerW machine_exts&{35378EAC-683F-11D2-A89A-00C04FBBCFA2}z;A machine extension name to add to gPCMachineExtensionNames)actionrdefaultr--user-ext-name user_extsz5A user extension name to add to gPCUserExtensionNamesz --replace store_trueFz8Replace the existing Group Policies, rather than mergingrrrNc |dg}|dg}|2tjtjj } nUt j j|r+t|d5} tj| } dddn td|j|_ |j|jd|_t|j|j||_|j#t%||j|j|j&|} |D]} | j)| d|D]} | j)| d |r| j+ y| j- y#1swYxYw#t.$r'}|j0dt2k(r td d}~wwxYw) Nrr$The JSON content file does not existTrrtrurrc)rqloadssysstdinrrrexistsrloadrrrhr rirmrjrr5rregister_extension_name replace_smerge_srrlr1)rrrcontentrrreplacerr rrvrregext_namerls rBr!z cmd_load.runs  DEL  ABI ?**SYY^^%56K WW^^G $gt$ +"iil  + +EF F((*--dgg-M $''4::q1 #C$**djj!L$ NH  ' '2L M N! KH  ' '2I J K  k* K(% + +& vvay33"$DEE  s**F!F5FF G"F>>G)NNNNFNNNr{r`rDrBr}r}s0d'H))--.. J tAL{!=CH#.=>N P  +=>H J {<N P M(,FJ#rDr}c eZdZdZdZej ejejdZ dgZ e dde e dd e e d d gd d e dd gddgZ ddZy) cmd_removeagRemove policies from a GPO. Reads json from standard input until EOF, unless a json formatted file is provided via --content. Example json_input: [ { "keyname": "Software\Policies\Mozilla\Firefox\Homepage", "valuename": "StartPage", "class": "USER", }, { "keyname": "Software\Policies\Mozilla\Firefox\Homepage", "valuename": "URL", "class": "USER", }, { "keyname": "Software\Microsoft\Internet Explorer\Toolbar", "valuename": "IEToolbar", "class": "USER" }, { "keyname": "Software\Policies\Microsoft\InputPersonalization", "valuename": "RestrictImplicitTextCollection", "class": "USER" } ] Valid class attributes: MACHINE|USER|BOTH rWrrr r rXr~rrrWrz@A machine extension name to remove from gPCMachineExtensionNames)rrrrrrz:A user extension name to remove from gPCUserExtensionNamesNc `|g}|g}|2tjtjj } nUt j j|r+t|d5} tj| } dddn td|j|_ |j|jd|_t|j|j||_|j#t%||j|j|j&|} |D]} | j)| d|D]} | j)| d | j+ y#1swYxYw#t,$r'} | j.dt0k(r tdd} ~ wwxYw) NrrTrrtrurrc)rqrrrrrrrrrrrrhr rirmrjrr5runregister_extension_nameremove_srrlr1)rrrrrrrr rrvrrrrls rBr!zcmd_remove.runWs  L  I ?**SYY^^%56K WW^^G $gt$ +"iil  + +EF F((*--dgg-M $''4::q1 #C$**djj!L$ PH  ) )(4N O P! MH  ) )(4K L M  LL % + +  vvay33"$DEE  s$(E1E=1E:= F-"F((F-NNNNNNNr{r`rDrBrr!s@'H))--.. J tAL{!=CH#RnS U  RkM O MKO7;rDrceZdZdZdZej ejejdZ dgZ e dde gZ d d Zy) cmd_getlinkzList GPO Links for a container.%prog [options]rrr r rXNc|j|_|j|jd|_t |j|j||_|j  |jj|tjddgd}d|vr|dr|jjd|ztt!|dd}|D]}t#|j|d  }|jjd |dd dz|jjd |dddz|jjdt%|dz|jjdy|jjd|zy#t$rtd|zwxYw)NTrrrrrrzGPO(s) linked to DN %s rQ)rQz GPO : %s rqz Name : %s rrz Options : %s rGrzNo GPO(s) linked to DN=%s )rrhr rirmrjrrrr~rrgrrrr]rrrH) rrrrr rrrcr[s rBr!zcmd_getlink.runs((*--dgg-M $''4::q1  O**##S^^/@+3*$6679C s?s8} IIOO6E F!#c(mA&6"78F &"4::!D':  4s1vf~a7H HI  4s1vm7LQ7O OP  47LQy\7Z Z[ %  & IIOO9LH I O>MN N Os /1F55G r"r{r`rDrBrrxs_)/H))--.. !!J tALMBFJrDrc eZdZdZdZej ejejdZ ddgZ e dde e d d d d d e ddd d dgZ ddZy) cmd_setlinkz(Add or update a GPO link to a container.$%prog [options]rrrr r rXz --disabledisabledFrzDisable policyrrrrz --enforceenforcedzEnforce policyNc |j|_|j|jd|_t |j|j||_|j d} |r| tjz} |r| tjz} t|j|dtt|j|} |jj!|t"j$ddgd} d } d| vrxt't| dd} d} d }| D]/}|d j)| j)k(s(| |d <d}n|rtd |z| j+d| | dng} | j-| | dt/| }t#j0}t#j2|j||_| r)t#j6|t"j8d|d<n(t#j6|t"j:d|d< |jj=||j>jAdtCjE|||||y#t$rtd|zwxYw#t$rtd |zwxYw#t$r}td|d}~wwxYw)NTrrrr\rrrrFrQrGz)GPO '%s' already linked to this containerrP new_valuezError adding GPO LinkzAdded/Updated GPO link )#rrhr rirmrjrr r<r;rrrgrrr4rr~rr]rinsertrWrdrrrQrr FLAG_MOD_ADDrrrrr!)rrrrrrrr rgplink_optionsrrexisting_gplinkrcrr[rrrls rBr!zcmd_setlink.runs((*--dgg-M $''4::q1   d55 5N  d55 5N @  -a 0Z C01 O**##S^^/@+3*$6679C  s?!#c(mA&6"78F"OE T7==?flln4#1AiL E   "#NQT#TUU a>!JKF MMNC D"6* KKMvvdjj,/  // C? ? @ O>MN N OD ;6: : ;s0J1J!2J<J!J9< K KK)NFFNNNr{r`rDrBrrs25H))--.. !%(J tAL{U<$ &{U<$ & MGL7;BMrDrceZdZdZdZej ejejdZ ddgZ e dde gZ d d Zy ) cmd_dellinkz!Delete GPO link from a container.rr containerrr r rXNc(|j|_|j|jd|_t |j|j||_|j  t|j|dtj|j|}t|j|||jjdt!j#|||||y#t$rtd|zwxYw)NTrrrr\zDeleted GPO link. )rrhr rirmrjrrrrgrr~rrrrrr!)rrrrrr rrs rBr!zcmd_dellink.runs((*--dgg-M $''4::q1  @  -a 0vvdjj)4 TZZs3 -. ,9h L  @83>? ? @s /C99Dr"r{r`rDrBrrsa+5H))--.. u%J tALMDHMrDrceZdZdZdZej ejejdZ dgZ e dde gZ d d Zy) cmd_listcontainersz%List all linked containers for a GPO.rWrrr r rXNc|j|_|j|jd|_t |j|j||_|j t|j|}t|rG|jjd|z|D]#}|jjd|dz%y|jjd|zy)NTrzContainer(s) using GPO %s z DN: %s rQzNo Containers using GPO %s ) rrhr rirmrjrrrrTrr)rrrrr rrrs rBr!zcmd_listcontainers.run9s((*--dgg-M $''4::q1  S1 s8 IIOO9C? @ : 4 89 : IIOO:S@ ArDr"r{r`rDrBrr(s\/&H))--.. J tALM9=BrDrceZdZdZdZej ejejdZ dgZ e dde gZ d d Zy) cmd_getinheritancez%Get inheritance flag for a container.rrrr r rXNc:|j|_|j|jd|_t |j|j||_|j  |jj|tjddgd}d}d|vrt|dd}|tjk(r|j j#dy|j j#d y#t$rtd|zwxYw) NTrrr4rrrz$Container has GPO_BLOCK_INHERITANCE zContainer has GPO_INHERIT )rrhr rirmrjrrrr~rrgrrXr rGrr)rrrrr rr inheritances rBr!zcmd_getinheritance.run]s((*--dgg-M $''4::q1  O**##S^^/@+6-$99:MN N Os /1DDr"r{r`rDrBrrLs^//H))--.. !!J tALMBF;rDrceZdZdZdZej ejejdZ ddgZ e dde gZ d d Zy ) cmd_setinheritancez$Set inheritance flag on a container.z.%prog [options]rr inherit_stater r rXNc|jdk(rtj}n2|jdk(rtj}nt d|z|j |_|j|j d|_t|j |j||_ |j |jj|tjddgd }tj"} tj$|j|| _d|vr2tj(t+|tj,d| d <n1tj(t+|tj.d| d < |jj1| y#t $rt d |zwxYw#t $r} t d |z| d} ~ wwxYw) NblockrMzUnknown inheritance state (%s)Trrr4rrrrz"Error setting inheritance state %s)rr rG GPO_INHERITrrrhr rirmrjrrrr~rrgrrrQrrrrr) rrrrrr rrrrrls rBr!zcmd_setinheritance.runs    G +44K  "i /**K?-OP P((*--dgg-M $''4::q1  O**##S^^/@+6-$99:MN N O XCmSUVW W Xs$1F3G3G  G+G&&G+r"r{r`rDrBrrxsa.?H))--.. !/2J tALMQU"XrDrceZdZdZdZej ejejdZ dgZ e dde e dd e gZ d d Zy ) cmd_fetchzDownload a GPO.rWrrr r rX--tmpdir,Temporary directory for copying policy filesNcD|j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_|j t|j|d}t|dd} t| \} } } t!|| |j|j } |j#||\}} t%| | ||j&j)d |zy#t$rtd|zwxYw#t$rtd | zwxYw#t$r}td |d}~wwxYw) NTrrfrZr[rr\rsInvalid GPO path (%s)r^Error copying GPO from DCGPO copied to %s )rrhr rirUrjrrmrrrrgrrrrr3rrrr)rrrrrr rrsrrdom_nameservice sharepathrrrls rBr!z cmd_fetch.runs((*--dgg-M  i(AB%KDH'-6s^ *Xw k7tww$(JJ0..vs; ? *4F C ,v56- @83>? ? @ >6<= = > ?:A> > ?s00EE*# FE'*F F FFNNNNNr{r`rDrBrrsa&H))--.. J tALz NUXYM &7rDrc eZdZdZdZej ejejdZ dgZ e dde e dd e e d d d d e ddde gZ ddZedZy) cmd_backupz Backup a GPO.rWrrr r rXrrz --generalizez"Generalize XML entities to restoreFrrrr --entitiesz4File to export defining XML entities for the restoreent_file)rrrNc &|j|_|j|jd|_|r|j dr |dd} ||_nGt |j|j} t|j|j| |_|j t|j|d} t| dd} t| \} } }t!| | |j|j }|j#||\}} t%||||j&j)d |z|r|j&j)d t*j-|j&||}ddl}dj1dt3|j5|j7dD}|rEt9|d5}|j)|ddd|j&j)d|zn6|j&j)d|j&j)|dD]T}|| vst9t:j<j1||dzd5}|j)| |ddddVy#t$rtd|zwxYw#t$rtd | zwxYw#t$r}td |d}~wwxYw#1swY xYw#1swYxYw)NTrrfrZr[rr\rsrr^rrz( Attempting to generalize XML entities: rJc3jK|]+}dj|djd|d-yw)zrOz&;rN)formatrR)raents rBrbz!cmd_backup.run...s9^!$177A T8JCPQFS^s13rOrwz$Entities successfully written to %s z Entities: rtru .SAMBAEXTr)rrhr rirUrjrrmrrrrgrrrrr3rrrrrgeneralize_xml_entitiesoperatorr>sorteditems itemgetterrrr)rrrr generalizerr rrrsrrrrrrrrlentitiesrentsrexts rBr!zcmd_backup.runs((*--dgg-M  i(AB%KDH'-6s^ *Xw k7tww$(JJ0..vs; ? ,T9f E ,v56  IIOOH I!99$))V:@BH 77^(.x~~/?XEXEXYZE[(\^^D(C("AGGDM"  G (!)* 0 %I )Ccz"'',,vs[/@A4H)AGGCHQK()) )W @83>? ? @ >6<= = > ?:A> > ?""))sH0J'K# KK:L'J?K K7& K22K7:LL ci}tjj|stj||g}|g}|r|j }|j }tj |}|j |D]} tjj|| } tjj|| } tjj| rX|j| |j| tjj| rtj| | jdr}tjj| dd} t| } t| d5}|j}dddtj }| j#|| |}Itjj)| | rkt+j,| | |r|S#1swYtxYw#t$$r|j'd| zYwxYw)Nrrz%SKIPPING: Generalizing failed for %s )rrrrrrrr>rrWendswithbasenamerrrET fromstringgeneralize_xmlrrsamefileshutilcopy2)r sourcedir targetdirrrrrrrrlrrto_parserltempr concrete_xmlfound_entitiess rBrz"cmd_backup.generalize_xml_entities@sww~~i( HHY JJLEJJLEjj'G LLN! 9eQ/eQ/77==(MM&)MM&)77>>&1(v.$&77#3#3F#;CR#@!,X!6\!%fc!24e',zz|4,.==+>L-3-B-B=H>)NNFNNNN)rrrr$r%rGr&r'r(r)rTrrr*r! staticmethodrr`rDrBrrs&H))--.. J tALz NUXY~$H\ 3|"XS * MIM6:?)B11rDrceZdZdZdZej ejejdZ dgZ e dde e dd e gZ d d Zy ) cmd_createzCreate an empty GPO.z%prog [options]rrr r rXrrNc|j|_|j|jd|_t |j|j}|rc|j drR|dd}||_tjtjztjz} |j|| } ntjtjztjz} |j|jjd| } | j}t|j|j| |_|jt!|j"| } | j$d kDrt'd |zt)t+j,} d | j/z} | |_| j2}d|d|d| }|j5|| \|_}||_ t;j<t:j>jA|dt;j<t:j>jA|dd}tCt:j>jA|ddjE|tI|\}}}||_%tM|||j|j}||_'|j"jQ tS|j"| }tUjV}||_,tUjZdtTj\d|d<|j"j_|tUjV}tUj`|j"dt)|z|_,tUjZdtTj\d|d<|j"j_|tUjV}tUj`|j"dt)|z|_,tUjZdtTj\d|d<|j"j_|tbjdtbjfztbjhz}t!|j"| |d } | dd }tktbjl|jo}tcjp|j"js}tu||}tbjljw||}ty||tbjdtbjfztbjhztbjzz}|j}|||t|||tUjV}||_,tUjZ|tTjd |d!<tUjZ|tTjd"|d#<tUjZd$tTjd%|d&<tUjZd'tTjd(|d)<tUjZd$tTjd*|d+<d,g} |j"j|| -|j"j|tj|j6|jjEd.|d/| d0y#tF$r}t'd|d}~wwxYw#tF$r|j"jwxYw)1NTr)rirhrfrZ)addressr@r_)domainr@r[)rrz%A GPO already existing with name '%s'{%s}rz\sysvol\z \Policies\MachineUserz[General] Version=0 zGPT.INIrzError Creating GPO filesr^groupPolicyContainerr/a01 CN=User,%sr CN=Machine,%s)rrrorra02rsa03rrpa052gpcFunctionalityVersiona07r@a04zpermissive_modify:0)r{zGPO 'z ' created as r)Grrhr rirrUrjrNBT_SERVER_LDAP NBT_SERVER_DSNBT_SERVER_WRITABLEfinddcrk pdc_dns_namermrrrcountrruuiduuid4uppergpo_name dns_domainrrrrrrr>rrrgrrr3rtransaction_startr4r~rrQrraddrr r=r>r?r r@rjdom_sidget_domain_sidr from_sddlr2SECINFO_PROTECTED_DACLset_aclrrrtransaction_committransaction_cancelrrmtreer)!rrrrrr rnetrsr@ cldap_retrguidrr_unc_pathr gpt_contentsrlrrrrrr ds_sd_flags ds_sd_ndrds_sd domain_sidsddlfs_sdsior{s! rBr!zcmd_create.runs((*--dgg-M  tww/ i(AB%KDH((&&',,-E ;e DI((&&',,-E $''++g*>e LI#00KdggtzzkBDH 4::;? 99q=FTU UDJJL!tzz|# $$9>sK#33FC@ V  > HHRWW\\&)4 5 HHRWW\\&&1 27L fi0# 6 < <\ J *38)<&7I"k7tww$(JJ0  $$&< , C0F AAD))*@#BRBRTabAeH JJNN1  A66$**lS[&@AAD))+s7G7GWAeH JJNN1  A66$**oF &CDAD))+s7G7GWAeH JJNN1 $11#112#001Ktzzs[I!LC23A6Ix22I>FFHE"))$***C*C*EFJuj1D''11$ CE "$ 2))))*(()223C LLE3 / +4 C AAD))+s7K7K][AeH))(C4H4HJZ[AeH))#s/C/C_UAeH))#s/C/CE^_AeH))#s/C/CWMAeH-.H JJ  a(  3 JJ ) ) + > MM$++ & k3GH] >91= = >H  JJ ) ) +  s&B!\)?O ]) ]2 \>>]%]+rr{r`rDrBrrusm.H))--..  J tALz NUXYM NR~IrDrc eZdZdZdZej ejejdZ ddgZ e dde e d d e e d d e e d dddgZ ddZ dfd ZxZS) cmd_restorez!Restore a GPO to a new container.z/%prog [options]rrbackupr r rXrrrz8File defining XML entities to insert into DOCTYPE headerz--restore-metadataz7Keep the old GPT.INI file and associated version numberFrrc<d}tjj|stj||g}|g}|r|j }|j }tj |} | j | D]} tjj|| } tjj|| } tjj| rX|j| |j| tjj| rtj| | jdstjj| dd} t| } t| d5}|j}d}|j|r9|t!|d}|j#t%j&||z|zn'|j#t%j&||z|j)| ddddd|ryy#1swYxYw#t*$r^| dd|z}t-j.|| dd|j0j3d| z|j0j3dY"ddl}|j7| dd|z}t-j.|| dd|j0j3d | z|j0j3dYxYw) Nrrrrz&zWARNING: No such parser for %s z.WARNING: Falling back to simple copy-restore. rz%WARNING: Error during parsing for %s )rrrrrrrr>rrWrrrrrrUrTload_xmlrr write_binaryrrrrr traceback print_exc)rrr dtd_headerrrrrrrrlrrrrrrxml_head original_filer,s rB restore_from_backup_to_local_dirz,cmd_restore.restore_from_backup_to_local_dirs}ww~~i( HHY JJLEJJLEjj'G LLN4 _eQ/eQ/77==(MM&)MM&)77>>&1(v.$&77#3#3F#;CR#@!,X!6#_!%fc!2Ae',zz|+S#'??8#<,0H +?D%+OOBMM(ZBWZ^B^4_$`$*OOBMM*tBS4T$U!' 3 3F3BK @!A%4 _ 0AA$ 3_,23BK&,@M"LLs D IIOO,NQY,YZ IIOO,]^ _,%//1-33BK&,@M"LLs D IIOO,TW],]^ IIOO,]^s- IBH7&I7I <IA#L)A/Lc d} tjj|std|z|d} tjj|std|zt |d5} | j } t jd| t j td| | jz } ddd| d z } tt|3|||||| |j||j| | } t|j |j|j"d | t%|j&|j(}d D]}tjj+||d z}tjj|sFt |d5}|j }dddt-j.}||_t-j2t,j4|||<|j&j7|y#1swYdxYw#1swYwxYw#t8$r}ddl}|j=|j>jAtC|dz|j>jAdtE}|j|j(||||td|zd}~wwxYw)NrJz"Backup directory does not exist %sz)+\s*\ZrzPEntities file does not appear to conform to format e.g. z ]> T)rrrrrrrz%Failed to restore GPO -- deleting... zFailed to restore: %s)#rrrrrrrr MULTILINErRsuperr'r!r1rrrrr4rrr>r~rrQrrrrgr,r-rrrcmd_del)rrr(rrrrr rrestore_metadatar. entities_fileentities_contentkeep_new_filesrrext_filerrrrlr,cmd __class__s rBr!zcmd_restore.runas ww~~f%CfLM M  0J77>>(+"#D#+$,--h$ 7 #0#5#5#7 88I,BLLBEIJ&(GHH.4466  7 ( "J k4$[!VY%-{ <& <  1 1&$++2< >"21N +499dkk+/>>?C?M O   DMM:FM )77<<k0AB77>>(+h-( vvx( A!AD //c6J6J035AcFJJ%%a( )A 7 7F(( <     ! IIOOCFTM * IIOOD E)C GGDMM1i; G6:; ; ? ? @8  JJ ) ) +  s0+J.(E K .K %K.r"r{r`rDrBr5r5s[&H))--.. J tALM9=63rDr5ceZdZdZdZej ejejdZ e ddde dd gZ d d Z y ) cmd_aclcheckz.Check all GPOs have matching LDAP and DS ACLs.rrr r r r rrNc |j|_|j|jd|_t |j|j||_|r|j dr |dd}||_nGt|j|j}t |j|j||_|jt|jd}|D]G}t|dd} t|\} } } t|| |j|j } | j!| t"j$t"j&zt"j(zt"j*} d |vr td |d d}t-t"j.|j1}t#j2|jj5}t7||}| j1||k7s'td | j1|d | d|y#t$rtd|zwxYw)NTrrfrZr[rsrrr^rozKCould not read nTSecurityDescriptor. This requires an Administrator accountzInvalid GPO ACL z on path (z ), should be )rrhr rirmrjrUrrrrrrrrr3get_aclr r=r>r?SEC_FLAG_MAXIMUM_ALLOWEDr r@rjrrr)rrrr rrsrrrrrrrr$r r!r"expected_fs_sddls rBr!zcmd_aclcheck.runs%((*--dgg-M $''4::q1 i(AB%KDH'FFHE"))$***C*C*EFJ*5*=  j)-=="V[VcVcdnVoqz}M$NOO5 O  B"#:S#@AA Bs H99Ir"r#r`rDrBrCrCsU8 H))--.. tW#JQT3 (M -OrDrCc eZdZdZdZej ejejdZ e ddde dd e d d e e jjej d  gZ ddZy) cmd_admxloadz Loads samba admx files to sysvolrrr r r r rrz --admx-dirz)Directory where admx templates are storedz samba/admx)rrrNc|j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j}dj|jjd jd d g} |j|t%j&|D]\} } } | D]} | j)|d}t$j*j| | }dj||gj)dd}dj|| g} t-||t/|d5} |j1||j3ddd|j4j7dy#t$rC} | jd tk(r t!d | jd t"k7rYd} ~ 3d} ~ wwxYw#t$rB} | jd tk(r t!d | jd t"k7rYd} ~ d} ~ wwxYw#t$r+} | jd tk(r t!d Yd} ~ d} ~ wwxYw#1swYxYw)NTrrfrZr[r]r^rr_r`PolicyDefinitionsrrcrJrraInstalling ADMX templates to the Central Store prevents Windows from displaying its own templates in the Group Policy Management Console. You will need to install these templates from https://www.microsoft.com/en-us/download/102157 to continue using Windows Administrative Templates. )rrhr rirUrjrrmr3r>rkrrrrlr1rr0rwalkrrr2rrrrr)rrrr radmx_dirrsrsmb_dirrldirnamedirsfilesfname path_in_admx full_pathsub_dirsmb_pathrs rBr!zcmd_admxload.runFs((*--dgg-M  i(AB%KDH'?  JJw %'GGH$5 Q GT5 Q&x< GGLL%8 ))Wl$;<DDS$O99gu%56)$8)T*QaQ h9QQ Q Q* P Q9 vvay33"$DEE==>  %vvay$;;*,LMM&EEF )Q66!9(??".0P#QQ@QQQs`>G; I 1K3 J; I8II J8JJ K !!K KK KK r)rrrr$r%rGr&r'r(r)rrrrr>r#data_dirr*r!r`rDrBrIrI4s* H))--.. tW#JQTC )|"M"'',,~u~~/?"N PMFJ8QrDrIceZdZdZdZej ejejdZ e ddde dd e d d d d gZ gdZ ddZy)cmd_add_sudoersaAdds a Samba Sudoers Group Policy to the sysvol This command adds a sudo rule to the sysvol for applying to winbind clients. The command argument indicates the final field in the sudo rule. The user argument indicates the user specified in the parentheses. The users and groups arguments are comma separated lists, which are combined to form the first field in the sudo rule. The --passwd argument specifies whether the sudo entry will require a password be specified. The default is False, meaning the NOPASSWD field will be specified in the sudo entry. Example: samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg The example command will generate the following sudoers entry: fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL z7%prog [groups] [options]rr r r r rrz--passwdrFz;Specify to indicate that sudo entry must provide a passwordr)rcommandr5userszgroups?Nc X |j|_| j|jd|_|r|j dr |dd} ||_nGt |j|j} t|j|j| |_t| d|j|j} |jt||j|j|j|} |jjd}d j|jd |d d g}d j|d g} tj tj"| j%|}|j'j)d}|j)d}tj6|d}|rtj6|dtj6|d}||_tj6|d }||_tj6|d!}|j?d"D].}tj6|d#}||_d |j@d$<0|A|j?D].} tj6|d#}| |_d%|j@d$<0tC}!|jE|!d&d'|!jGd tI| || jK||!jM| jOd(y#t*$rA}|j,dt.t0t2fvrtj tj4d}tj6|j'd}tj6|d}d|_tj6|d}d|_tj6|d}d|_tj6|d}d|_tj6|d}tj6|d}d|_n"|j,dt:k(r t=dYd}~d}~wwxYw#t*$r'}|j,dt:k(r t=dd}~wwxYw))NTrrfrZr[r]r^r_rr`MACHINE\VGP\VTLA\SudoSudoersConfiguration manifest.xml policysettingrr vgppolicyversion1rqz Sudo Policy descriptionz!Sudoers File Configuration Policy apply_modemerge load_plugintruerc sudoers_entrypasswordrZr5 listelement, principalrgroupUTF-8encodingxml_declarationmachine_changed)(rrhr rirUrjrrmr3rr5rrkr>rr ElementTreerrgetrootfindrrlr-r.r/Element SubElementtextr1rrSrr)rseekr2rrincrement_gpt_ini)"rrrZr5r[groupspasswdrrr rrsrrr_vgp_dirvgp_xmlxml_datar`rrlpvrqrdrergri command_elmuser_elmrkurmr[outs" rBr!zcmd_add_sudoers.runs((*--dgg-M  i(AB%KDH'>>>"**[*AB " h.>.>.@.=!? ]]=)<}}]F;)  mmM=I #F  ]]=,G ") }}]F; mmD-@ #)  55"$DEE !% d vvay33"$DEE   s2A'L+,>Q9+ Q65D6Q11Q69 R)"R$$R))NNNNNNrrrr$r%rGr&r'r(r)rrr*rTr!r`rDrBrYrYsz&IH))--.. tW#JQTC )z,Q SM@JAE?CUrDrYceZdZdZdZej ejejdZ e ddde dd gZ d gZ d d Zy )cmd_list_sudoerszList Samba Sudoers Group Policy from the sysvol This command lists sudo rules from the sysvol that will be applied to winbind clients. Example: samba-tool gpo manage sudoers list {31B2F340-016D-11D2-945F-00C04FB984F9} rWrr r r r rrrNc|j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j}|jjd}d j|jd |d d g} tj|j| } | J| j-d} | j,d} | j/dD]}|j-dj0}|j-dj0}|j/d}g}|D]"}|j3|j/d$t5|d kDrKdj|Dcgc]/}|j6ddk(r |j0nd|j0z1c}}nd}|j-ddu}|rdnd}|d|d|d|}|j8j;d |zd j|jd |d!g} t=t>j@|j|}d"}|jBD]g}tE|jF|k(stI|jJjMs@|j8j;d |jJziy#t$rP} | j d t"t$t&fvrd} n"| j d t(k(r t+dYd} ~ gd} ~ wwxYwcc}w#t$rL} | j d t"t$t&fvrYd} ~ y| j d t(k(r t+dd} ~ wwxYw)#NTrrfrZr[r]r^r_rr`r]z!SudoersConfiguration\manifest.xmlrrcr`rrirZr5rkrmrlr%s%%ALLrj NOPASSWD:rJ ALL=()r<%s MACHINE\Registry.pols1Software\Policies\Samba\Unix Settings\Sudo Rights)'rrhr rirUrjrrmr3rkr>rrrrrrlr-r.r/r1rrwfindallrzextendrTrrrr r rrmr%rdr&rrR)rrrrr rrsrr_rrrlrrryrZr5 listelements principalsrkruname nopasswordnp_entryprurxrds rBr!zcmd_list_sudoers.runs((*--dgg-M  i(AB%KDH'> 55"$DEE  .&B vvay:<<>>vvay33"$DEE  s=$L9.4N )N9 NAN  N O/# O*"O**O/r"rr`rDrBrrsb'H))--.. tW#JQTC )M JK5rDrceZdZdZdZej ejejdZ e ddde dd gZ d d gZ dd Zy )cmd_remove_sudoersaRemoves a Samba Sudoers Group Policy from the sysvol This command removes a sudo rule from the sysvol from applying to winbind clients. Example: samba-tool gpo manage sudoers remove {31B2F340-016D-11D2-945F-00C04FB984F9} 'fakeu ALL=(ALL) NOPASSWD: ALL' %prog [options]rr r r r rrrryNc |j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j}|jt||j|j|j|} |jjd} d j| jd |d d g} d j| d g} tj tj"|j%| } | j'j)d}|j)d}d j| jd |dg} t9t:j<|j%|}i}|r|j?dngD]}|j)dj@}|j)dj@}|j?d}g}|D]"}|jC|j?d$tE|dkDrKdj|Dcgc]/}|jFddk(r |j@nd|j@z1c}}nd}|j)ddu}|rdnd}|d|d |d!|}|||<||jIvr|jK||tM} jO|d"d#|jQd tS|| |jU| |jW| jYd$y||r$|jZDcgc]}|j\c}ngvro|jZDcgc]}|j\|k7s|}}tE||_/||_- |jU|ta|| jYd$yt7d%|z#t*$rP}|j,dt.t0t2fvrd}n"|j,dt4k(r t7dYd}~d}~wwxYw#t*$rP}|j,dt.t0t2fvrd}n"|j,dt4k(r t7dYd}~d}~wwxYwcc}w#t*$r'}|j,dt4k(r t7dd}~wwxYwcc}wcc}w#t*$r'}|j,dt4k(r t7dd}~wwxYw)&NTrrfrZr[r]r^r_rr`r]r^r_r`rrrcrrirZr5rkrmrlrrrrjrrJrrr<rorprs,Cannot remove '%s' because it does not exist)1rrhr rirUrjrrmr3rr5rrkr>rrrurrrvrwrrlr-r.r/r1rr r rrrzrrTrkeysrr)rr{r2rrr|rmr num_entriesr )rrryrrr rrsrrr_rrrr`rrlrurxrmrZr5rrrkrrrrrrs rBr!zcmd_remove_sudoers.runys((*--dgg-M  i(AB%KDH'&&D99]3LJ+ D !!+"5"5k"BC D:"2<">-.-.HHV,<,F!&&!&&#)">? +t3J'1|rH&+T8WEAGAJ " GLLN " KK ')C NN3$N G HHQK %dG4 gsxxz2%%d%; X(8(89192 N"*"2"2FQaffoqFGF#&w>55"$DEE   vvay:<<>> 55"$DEE  (">&! 66!9 77&(HII   :F! 66!9 77&(HII  s{A'Q)R0-4T .>T>U%U :U -U R-AR((R-0 T 9ATT  U"T<<U U>"U99U>r"rr`rDrBrrase/H))--.. tW#JQTC )M !Jh&rDrcPeZdZdZiZeed<eed<eed<y) cmd_sudoersz#Manage Sudoers Group Policy ObjectsrrrN)rrrr$ subcommandsrYrrr`rDrBrrs1-K(*K*,K.0KrDrceZdZdZdZej ejejdZ e ddde dd gZ gd Z d d Zy )cmd_set_securitya Set Samba Security Group Policy to the sysvol This command sets a security setting to the sysvol for applying to winbind clients. Not providing a value will unset the policy. These settings only apply to the ADDC. Example: samba-tool gpo manage security set {31B2F340-016D-11D2-945F-00C04FB984F9} MaxTicketAge 10 Possible policies: MaxTicketAge Maximum lifetime for user ticket Defined in hours MaxServiceAge Maximum lifetime for service ticket Defined in minutes MaxRenewAge Maximum lifetime for user ticket renewal Defined in minutes MinimumPasswordAge Minimum password age Defined in days MaximumPasswordAge Maximum password age Defined in days MinimumPasswordLength Minimum password length Defined in characters PasswordComplexity Password must meet complexity requirements 1 is Enabled, 0 is Disabled rWrr r r r rr)rrvalue?Nc|j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j} |jt||j|j|j|} |jjd} d j| jd |d g} d j| d g} td }t |_| j%| } |j't)|j+dddddddd}||}j=|s|j?|||jA|||n@|jC||tE|jG|dk(r|jI|t)}|jK| tM| | | jO| tQ|jS| jUdy#t,$r-|j't)|j+dY wxYw#t.$rM}|j0dt2k(r t5d|j0dt6t8t:fvrYd}~ud}~wwxYw#t.$r'}|j0dt2k(r t5dd}~wwxYw)NTrrfrZr[r]r^r_rr`z$MACHINE\Microsoft\Windows NT\SecEditz GptTmpl.inf interpolationutf-16rrcKerberos Policy System Access) MaxTicketAge MaxServiceAge MaxRenewAgeMinimumPasswordAgeMaximumPasswordAgeMinimumPasswordLengthPasswordComplexityrs)+rrhr rirUrjrrmr3rr5rrkr>rr'r optionxformr read_filer(roUnicodeDecodeErrorrrlr1rr-r.r/ has_section add_sectionset remove_optionrTrGremove_sectionrr2rr%getvaluer|)rrrr?rrr rrsrrr_inf_dirinf_fileinf_datarawrl section_mapsectionrs rBr!zcmd_set_security.run s((*--dgg-M  i(AB%KDH'/>2A/>  f%##G,   )   LL&% 0  " "7F 38##G,-2''0js  !$ 0 MM(Iclln$= >  ! !$ ! 7G& C""8CJJx,@#AB C vvay33"$DEEvvay!>!@!@!BBB  D vvay33"$DEE  sP(K:(J AL 2K?KKK LALL M("M  Mrrr`rDrBrrsg@'H))--.. tW#JQTC )M -J=A'+IrDrceZdZdZdZej ejejdZ e ddde dd gZ d gZ d d Zy )cmd_list_securityaList Samba Security Group Policy from the sysvol This command lists security settings from the sysvol that will be applied to winbind clients. These settings only apply to the ADDC. Example: samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9} rWrr r r r rrrNcn|j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j}|jjd}d j|jd |d g} td } t| _|j| } | j!t#| j%| j7D]A} | dvr| j9| D]&\}}|j:j=|d|d(Cy#t&$r,| j!t#| j%d YwxYw#t($rL} | j*dt,t.t0fvrYd} ~ y| j*dt2k(r t5dd} ~ wwxYw)NTrrfrZr[r]r^r_rr`z0MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.infrrrrc)rr = r)rrhr rirUrjrrmr3rkr>rr'rrrrr(rorrrlr-r.r/r1rsectionsrrr)rrrrr rrsrr_rrrrlrrr?s rBr!zcmd_list_security.run~ s((*--dgg-M  i(AB%KDH'>vvay33"$DEE  s<(G*(F''2GGGG H4( H/ "H//H4r"rr`rDrBrre sa'H))--.. tW#JQTC )M J+| j|j:}|j@jC|j:d|dy#t $rL} | j"d t$t&t(fvrYd} ~ y| j"d t*k(r t-d d} ~ wwxYw)NTrrfrZr[r]r^r_rr`rrrc Software\Policies\Samba\smb_confrr)"rrhr rirUrjrrmr3rkr>rr r rrrrlr-r.r/r1rr#LoadParmrmr%rdrrerrrr)rrrrr rrsrr_rurxrlrdrhryvals rBr!zcmd_list_smb_conf.run s((*--dgg-M  i(AB%KDH'>vvay33"$DEE  s)G H5) H0"H00H5r"rr`rDrBrr sb'H))--.. tW#JQTC )M J'FrDrceZdZdZdZej ejejdZ e ddde dd gZ gd Z d d Zy )cmd_set_smb_confa%Sets a Samba smb.conf Group Policy to the sysvol This command sets an smb.conf setting to the sysvol for applying to winbind clients. Not providing a value will unset the policy. Example: samba-tool gpo manage smb_conf set {31B2F340-016D-11D2-945F-00C04FB984F9} 'apply gpo policies' yes rrr r r r rrrsettingrNc|j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j} |jt||j|j|j|} |jjd} d j| jd |d g} d j| d g} tt j"| j%| }|t||j4Dcgc]}|j6c}vrt3d|z|j4Dcgc]}|j6|k7r|}}||_t9||_nt=|jdvrd}d}n]t=|jdvrd}d }n=t=|j?rd}tAt=|}n d}tC|}t!jD}d|_#tC||_||_$||_%tM|j4}|jO|||_t9||_ tQ| | | jS| tU|| jWdy#t&$rb}|j(d t*t,t.fvrt!j"}n"|j(d t0k(r t3dYd}~ d}~wwxYwcc}wcc}w#t&$r'}|j(d t0k(r t3dd}~wwxYw)NTrrfrZr[r]r^r_rr`raz Registry.polrrcr)yesrhrcrhrO)nofalserrrs),rrhr rirUrjrrmr3rr5rrkr>rr r rrrrlr-r.r/r1rrmrerTrr& isnumericrXr%ryrdrrrrWr2rr r|)rrrr?rrr rrsrrr_pol_dirrurxrlrmetypers rBr!zcmd_set_smb_conf.run s^((*--dgg-M  i(AB%KDH'AI#G,AKAFAF8++,G NN1 &H #&w> 99;55"$DEE  F+> vvay33"$DEE   s=)L N >N$9N N 'ANN  O"OOrrr`rDrBrr sf/H))--.. tW#JQTC )M .JMQMrDrc<eZdZdZiZeed<eed<y) cmd_smb_confz$Manage smb.conf Group Policy ObjectsrrN)rrrr$rrrr`rDrBrrZ s$.K+-K)+KrDrceZdZdZdZej ejejdZ e ddde dd gZ d gZ d d Zy )cmd_list_symlinkzList VGP Symbolic Link Group Policy from the sysvol This command lists symlink settings from the sysvol that will be applied to winbind clients. Example: samba-tool gpo manage symlink list {31B2F340-016D-11D2-945F-00C04FB984F9} rWrr r r r rrrNc |j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j}|jjd}d j|jd |d d g} tj|j| } | j-d} | j,d} | j/dD]Z}|j-d}|j-d}|j0j3d|j4d|j4d\y#t$rL} | j d t"t$t&fvrYd} ~ y| j d t(k(r t+dd} ~ wwxYw)NTrrfrZr[r]r^r_rr`MACHINE\VGP\VTLA\UnixzSymlink\manifest.xmlrrcr`rfile_propertiessourcetargetzln -s r<rrrhr rirUrjrrmr3rkr>rrrrrrlr-r.r/r1rrwrrrrz)rrrrr rrsrr_rrrlrrrrrs rBr!zcmd_list_symlink.runx s((*--dgg-M  i(AB%KDH' JO$))(3F$))(3F IIOOv{{FKKH I J vvay:<<>>vvay33"$DEE  s$F88 H  H&"HH r"rr`rDrBrr` sb'H))--.. tW#JQTC )M J'JrDrceZdZdZdZej ejejdZ e ddde dd gZ gd Z d d Zy )cmd_add_symlinkzAdds a VGP Symbolic Link Group Policy to the sysvol This command adds a symlink setting to the sysvol that will be applied to winbind clients. Example: samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target '%prog [options]rr r r r rrrrrNc~|j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j} |jt||j|j|j|} |jjd} d j| jd |d g} d j| d g} tj tj"| j%| }|j'j)d }|j(d}tj6|d}tj6|d}||_tj6|d}||_t?}|jA|dd|jCd tE| | | jG| |jI| jKdy#t*$r}|j,dt.t0t2fvrtj tj4d}tj6|j'd }tj6|d}d|_tj6|d}d|_tj6|d}d|_tj6|d}n"|j,dt:k(r t=dYd}~d}~wwxYw#t*$r'}|j,dt:k(r t=dd}~wwxYw)NTrrfrZr[r]r^r_rr`MACHINE\VGP\VTLA\Unix\Symlinkr_r`rrrarbrcrqzSymlink PolicyrdzSpecifies symbolic link datarcrrrrorprs)&rrhr rirUrjrrmr3rr5rrkr>rrrurrrvrwrrlr-r.r/rxryrzr1rr)rr{r2rrr|)rrrrrrr rrsrrr_rrrrrrlr`rrqrdr source_elm target_elmrs rBr!zcmd_add_symlink.run s((*--dgg-M  i(AB%KDH'>>>"**[*AB " h.>.>.@.=!? ]]=)<}}]F;,  mmM=I #A  }}]F;55"$DEE  D vvay33"$DEE   s2A(I89>N 8 N CCannot remove link from '%s' to '%s' because it does not existrcrrrrorprs)&rrhr rirUrjrrmr3rr5rrkr>rrrurrrvrwrrlr-r.r/rr1rrzrr)rr{r2rrr|)rrrrrrr rrsrrr_rrrrrrlrrrrs rBr!zcmd_remove_symlink.run s((*--dgg-M  i(AB%KDH' MO(--h7J(--h7J&(Z__-F O,  M ;=C DEKM MisWdC    !$ 0 MM'388: .  ! !$ ! 7; vvay:<<>>#$028$9:@BB55"$DEE < vvay33"$DEE   s2A(J!">L! L*AK;;L L3 "L..L3r"rr`rDrBrr sf9H))--.. tW#JQTC )M -JHL@rDrcPeZdZdZiZeed<eed<eed<y) cmd_symlinkz#Manage symlink Group Policy ObjectsrrrN)rrrr$rrrrr`rDrBrrZ s1-K*,K(*K.0KrDrceZdZdZdZej ejejdZ e ddde dd gZ d gZ d d Zy )cmd_list_fileszList VGP Files Group Policy from the sysvol This command lists files which will be copied from the sysvol and applied to winbind clients. Example: samba-tool gpo manage files list {31B2F340-016D-11D2-945F-00C04FB984F9} rWrr r r r rrrNc |j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j}|jjd}d j|jd |d d g} tj|j| } | j-d} | j,d} | j/dD]}|j-dj0}|j-dj0}|j-dj0}|j-dj0}t3|}t5|d|d|d|d| }|j6j9d|zy#t$rL} | j d t"t$t&fvrYd} ~ y| j d t(k(r t+dd} ~ wwxYw)NTrrfrZr[r]r^r_rr`rzFiles\manifest.xmlrrcr`rrrrr5rn z -> r)rrhr rirUrjrrmr3rkr>rrrrrrlr-r.r/r1rrwrrzr*r+rr)rrrrr rrsrr_rrrlrrryrrr5rnmoders rBr!zcmd_list_files.runy s ((*--dgg-M  i(AB%KDH'>vvay33"$DEE  s$H I# I<"II#r"rr`rDrBrra sa'H))--.. tW#JQTC )M J,(rDrceZdZdZdZej ejejdZ e ddde dd gZ gd Z d d Zy ) cmd_add_filesaAdd VGP Files Group Policy to the sysvol This command adds files which will be copied from the sysvol and applied to winbind clients. Example: samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt /usr/share/doc/target.txt root root 600 z=%prog [options]rr r r r rr)rrrr5rnrNc  |j|_| j|jd|_tj j |std|z|r|jdr |dd} ||_ nGt|j|j} t|j|j| |_ t| d|j|j} |jt||j|j|j|} |jj!d }d j#|j%d |d g}d j#|d g} t'j(t'j*| j-|}|j/j1d}|j0d}t'j>|d}t'j>|d}tj jE||_ t'j>|d}||_ t'j>|d}||_ t'j>|d}||_ dD]\}}t'j>|d} | jGd |tI|d!d"|zzrt'j>| d#tI|d!d$|zzrt'j>| d%tI|d!d&|zzst'j>| d'tK}!|jM|!d(d)|!jOdtQ|d*jS}"d j#|tj jE|g}# tU| || jW||!jS| jW|#|"| jYd+y#t2$r}|j4dt6t8t:fvrt'j(t'j<d}t'j>|j/d}t'j>|d}d|_ t'j>|d}d|_ t'j>|d}d|_ t'j>|d}n"|j4dtBk(r tdYd}~)d}~wwxYw#t2$r'}|j4dtBk(r tdd}~wwxYw),NTrzSource '%s' does not existrfrZr[r]r^r_rr`MACHINE\VGP\VTLA\Unix\Filesr_r`rrrarbrcrqFilesrdz+Represents file data to set/copy on clientsrcrrrr5rn))r5)rnr)otherr permissionsrrNrhrrMrrOexecuterorprrs)-rrhr rirrrrrUrjrrmr3rr5rrkr>rrrurrrvrwrrlr-r.r/rxryrzr1rrrXr)rr{rrr2rr|)$rrrrr5rnrrrr rrsrrr_rrrrrrlr`rrqrdrrrr group_elmptypeshiftrr source_data sysvol_sources$ rBr!zcmd_add_files.run sS((*--dgg-M ww~~f%;fDE E i(AB%KDH'@A))Wn56 ~~bmmDMM'4J&KLH%%',,_=F6;;v&D,--.?@]]?H= ''**62 ]]?H=  ==&9 MM/7;  E 6LE5--GK OOFE *4|se|, k624|se|, k734|se|, k95 6isWdC  64(--/  7BGG,<,>>>"**[*AB " h.>.>.@.=!? ]]=)<}}]F;#  mmM=I #P  }}]F;55"$DEE  d vvay33"$DEE   s3>A(P2AT T C [options]rr r r r rrrrNc|j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j}|jt||j|j|j|} |jjd} d j| jd |d g} d j| d g} tj tj"|j%| } | j'j)d }|j(d}|j9dD]t}|j)d}|j)d}|j:|k(s5d j| |j:g}|j=||j?|nt5d|ztA}| jC|dd|jEd tG|| |jI| |jK| jMdy#t*$rU}|j,dt.t0t2fvrt5d|z|j,dt6k(r t5dd}~wwxYw#t*$r'}|j,dt6k(r t5dd}~wwxYw)NTrrfrZr[r]r^r_rr`rr_r`rrz1Cannot remove file '%s' because it does not existrcrrrrorprs)'rrhr rirUrjrrmr3rr5rrkr>rrrurrrvrwrrlr-r.r/rr1rrzunlinkrr)rr{r2rrr|)rrrrrr rrsrrr_rrrrrrlrrrrrs rBr!zcmd_remove_files.run0 s((*--dgg-M  i(AB%KDH'@A))Wn56 ~~bmmDMM'4J&KLH%%',,_=F6;;v&D $||,=> EO(--h7J(--h7J&(GZ__#=> F# O, E ;=C DE EisWdC    !$ 0 MM'388: .  ! !$ ! 7? vvay:<<>>#$028$9::55"$DEE @ vvay33"$DEE   s2A(J>?>L> LALL M("M  Mr"rr`rDrBrr sk0H))--.. tW#JQTC )M "J@DBrDrcPeZdZdZiZeed<eed<eed<y) cmd_filesz!Manage Files Group Policy ObjectsrrrN)rrrr$rrrrr`rDrBr r t s0+K(*K&K,.KrDr ceZdZdZdZej ejejdZ e ddde dd gZ d gZ d d Zy )cmd_list_opensshzList VGP OpenSSH Group Policy from the sysvol This command lists openssh options from the sysvol that will be applied to winbind clients. Example: samba-tool gpo manage openssh list {31B2F340-016D-11D2-945F-00C04FB984F9} rWrr r r r rrrNc |j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j}|jjd}d j|jd |d d g} tj|j| } | j-d} | j,d} | j-d}|j/dD]}|j-dj0r|j/dD]U}|j2j5|j-dj0d|j-dj0dWy#t$rL} | j d t"t$t&fvrYd} ~ y| j d t(k(r t+dd} ~ wwxYw)NTrrfrZr[r]r^r_rr`zMACHINE\VGP\VTLA\SshCfgzSshD\manifest.xmlrrcr`r configfile configsection sectionname keyvaluepairrr<r?rrrhr rirUrjrrmr3rkr>rrrrrrlr-r.r/r1rrwrrzrr)rrrrr rrsrr_rrrlrrrrkvs rBr!zcmd_list_openssh.run s((*--dgg-M  i(AB%KDH'>vvay33"$DEE  s$G66 I ? I$"II r"rr`rDrBr r { sb'H))--.. tW#JQTC )M J*ErDr ceZdZdZdZej ejejdZ e ddde dd gZ gd Z d d Zy )cmd_set_openssha"Sets a VGP OpenSSH Group Policy to the sysvol This command sets an openssh setting to the sysvol for applying to winbind clients. Not providing a value will unset the policy. Example: samba-tool gpo manage openssh set {31B2F340-016D-11D2-945F-00C04FB984F9} KerberosAuthentication Yes z'%prog [value] [options]rr r r r rrrNc |j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j} |jt||j|j|j|} |jjd} d j| jd |d g} d j| d g} tj tj"| j%| }|j'j)d }|j(d}|j)d}||j?dD]}|j)dj8ri}|j?dD]}|||j)d<||jAvr |||_htj6|d}tj6|d}||_tj6|d}||_n|j?dD]}|j)dj8ri}|j?dD] }|||j)dj8<"||jAvr|jC|||t=d |ztE}|jG|d!d"|jId tK| | | jM| |jO| jQd#y#t*$rg}|j,dt.t0t2fvrtj tj4d}tj6|j'd }tj6|d}d|_tj6|d}d|_tj6|d}d|_tj6|d}d|_tj6|d}tj6|d}tj6|d}tj6|dn"|j,dt:k(r t=dYd}~Ed}~wwxYw#t*$r'}|j,dt:k(r t=dd}~wwxYw)$NTrrfrZr[r]r^r_rr`zMACHINE\VGP\VTLA\SshCfg\SshDr_r`rrrrarbrcrqzConfiguration Filerdz+Represents Unix configuration file settingsrerfrrrcrrr?rrorprs))rrhr rirUrjrrmr3rr5rrkr>rrrurrrvrwrrlr-r.r/rxryrzr1rrrrr)rr{r2rrr|)rrrr?rrr rrsrrr_rrrrrrrlr`rrqrdrersettingsrrrdvaluers rBr!zcmd_set_openssh.run s((*--dgg-M  i(AB%KDH'  %%m499'//?7B46HRWWU^0017hmmo-!(('):;&(35<(=>> >isWdC    !$ 0 MM'388: .  ! !$ ! 7y vvay:<<>>>>"**[*AB " h.>.>.@.=!? ]]=)<}}]F;0  mmM=I #P  ]]=,G ") }}]F;]]4> " j/ J  m];55"$DEE <' z vvay33"$DEE   s2A9N#$>T# T-ETT U "UUrrr`rDrBrr sf9H))--.. tW#JQTC )M .J>B'+`rDrc<eZdZdZiZeed<eed<y) cmd_opensshz#Manage OpenSSH Group Policy ObjectsrrN)rrrr$rr rr`rDrBrr: s$-K*,K(*KrDrceZdZdZdZej ejejdZ e ddde dd gZ d gZ d d Zy )cmd_list_startupzList VGP Startup Script Group Policy from the sysvol This command lists the startup script policies currently set on the sysvol. Example: samba-tool gpo manage scripts startup list {31B2F340-016D-11D2-945F-00C04FB984F9} rWrr r r r rrrNc |j|_|j|jd|_|r|j dr |dd}||_nGt |j|j}t|j|j||_t|d|j|j}|jjd}d j|jd |d d g} tj|j| } | j-d} | j,d} | j/dD]}|j-d}d jd |jd |dd|j0g}|j-d}|j-d}| |j0}nd}| |j0}nd}|j2j5d|d|d|dy#t$rL} | j d t"t$t&fvrYd} ~ y| j d t(k(r t+dd} ~ wwxYw)NTrrfrZr[r]r^r_rr`rzScripts\Startup\manifest.xmlrrcr`rrkscriptzMACHINE\VGP\VTLA\Unix\ScriptsStartup parametersrun_asrootrJz@reboot r<rr)rrrrr rrsrr_rrrlrrrkr script_pathr r!s rBr!zcmd_list_startup.runX s*((*--dgg-M  i(AB%KDH'K%)),7J %%h/F!%'__  IIOOFK2<> ? ? vvay:<<>>vvay33"$DEE  s$H I I8"IIr"rr`rDrBrr@ sa'H))--.. tW#JQTC )M J4?rDrceZdZdZdZej ejejdZ e ddde dd e d d d d dgZ gdZ ddZy)cmd_add_startupzAdds VGP Startup Script Group Policy to the sysvol This command adds a startup script policy to the sysvol. Example: samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '\-n \-p all' z.%prog