I have a Samba server set up as a secondary domain controller and an Active Directory server as the primary domain controller. My goal is to deploy a startup script to run on Windows clients in a specific Organizational Unit (OU=HR).
I used the following command to add the startup script:
samba-tool gpo manage scripts startup add {GPO_UID} script.ps1
This created a manifest file, and copied the script to the SYSVOL folder. However, the script does not seem to execute on the clients. The script is supposed to write a file to C:\, but no new file is created.
What I have done so far:
SYSVOL. (Where it copied not Policies)OU (OU=HR).gpupdate command was run on the client to apply the updated policies.PS: I cannot see the startup script whet I open Group Policy Management Editor on Windows Active Directory Server since I added it using samba-tool.
Despite this, the script does not run at startup as expected.
Additional Info:
C:\.Can someone help me troubleshoot why the startup script is not being executed? I can provide more details if needed.
For this version of samba-tool you'll need to create script structure manually.
First, ensure your GPO directory is properly structured. The base directory (e.g., GPO) must include:
Machine/ for scripts that run at the computer level (Startup/Shutdown).User/ for scripts that run at the user level (Logon/Logoff).Each of these directories must further include:
Startup/ and Shutdown/ under Machine/.Logon/ and Logoff/ under User/.Scripts placed in these directories will execute based on their folder’s purpose (e.g., scripts in Startup/ execute at startup).
Here’s an example file tree structure for a GPO with a Startup and Logon script:
├── GPT.INI
├── Machine
│ └── Scripts
│ ├── psscripts.ini
│ ├── Shutdown
│ └── Startup
│ └── machine_script.ps1
└── User
├── Documents & Settings
└── Scripts
├── Logoff
├── Logon
│ └── user_script.ps1
└── psscripts.ini
Each directory also requires a configuration file to list the scripts and their parameters:
scripts.ini for batch (.cmd/.bat) scripts.psscript.ini for PowerShell (.ps1) scripts.psscripts.iniFor Machine/Startup script:
[Startup]
0CmdLine=machine_script.ps1
0Parameters=Parameters
For User/Logon script:
[Logon]
0CmdLine=user_script.ps1
0Parameters=Parameters
0, 1, etc.) indicates the execution order.Parameters field as required by your script.machine_script.ps1, user_script.ps1, etc.) are placed in the appropriate Startup/, Shutdown/, Logon/, or Logoff/ directories.After configuring the files and directories, link the GPO to the desired OU (Organizational Unit) in Active Directory to ensure the scripts execute as intended.
This method gives you granular control over script execution while adhering to GPO standards. Let me know if you have further questions!
Note: You'll need to set the permissions and users of the files as:
-rwxrwx---+ 1 BUILTIN\administrators users 80 Dec 30 16:15 psscripts.ini
chmod 770chown 3000000:usersOne need to modify the ldap database to make the Client-Side Execution (CSE) activated.
You must add the gPCMachineExtensionName to the ldap database and increment the versionNumber.
gPCMachineExtensionNameCrate an ldif (script_setup.ldi) file that contains:
dn: CN={xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx},CN=Policies,CN=System,DC=domain,DC=prd
changetype: modify
add: gPCMachineExtensionNames
gPCMachineExtensionNames: [{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-
0000F87571E3}]
Execute it:
ldapmodify -x -D "cn=Administrator,cn=Users,dc=example,dc=com" -w "ADMINISTRATOR_PASSWORD" -H ldaps://example.com -f script_setup.ldi
versionNumberCrate an ldif (version_add.ldif) file that contains:
dn: CN={xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx},CN=Policies,CN=System,DC=example,DC=com
changetype: modify
replace: versionNumber
versionNumber: 1
Execute it:
ldapmodify -x -D "cn=Administrator,cn=Users,dc=example,dc=com" -w "ADMINISTRATOR_PASSWORD" -H ldaps://example.com -f version_add.ldif