The joys of a Samba domain... First off Domain Group policy can't be used until Samba 4 arrives.
We need to setup Software Restriction Policies (SRPs) on most of the computers in our Samba domain and I would dearly like to automate this. (We are moving away from just disabling the Windows installer). The traditional way is to set SRPs using Local Group Policy (LGP) Computer Conf->Windows Settings->SRP but this involves visiting every machine as it can't be set using in NTConfig.pol.
It is possible to attempt to create the SRPs directly in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{30628f61-eb47-4d87-823b-6683a09eda87}]
"LastModified"=hex(b):40,a2,94,09,b5,5d,ca,01
"Description"=""
"SaferFlags"=dword:00000000
"ItemData"="C:\\location\\subfolder"
SaferFlags DWORD seems to be what turns it on or off, but although this seems to work it does not update the Local Group Policy - SRPs still show as "No SRPs Defined".
Where does the LGP store this setting - is it even in the registry and more importantly - Is there a cleverer way of setting up SRPs?
Local Group Policies get stored outside of the registry in C:\Windows\System32\GroupPolicy and get merged into the registry during startup (for computer policies) or logon (for user policies). You need to view them as a separate entity which need not actually even exist for a setting to take effect.
When you view the local policy in gpedit.msc what you're viewing is what is in the C:\Windows\System32\GroupPolicy folder, not what's currently in the registry.
One suggestion would be to modify the local policy to taste on a test machine and drop the relevant files onto your other machines, but I haven't tested this and can't confirm it would work. Overall though I honestly think you're better off biting the bullet and putting Windows Domain Controllers in. You may be saving money on license fees with your current approach, but you're just losing a whole lot of time on maintaining an elaborate (and potentially delicate) setup that using Windows DCs would totally bypass. Unfortunately I suspect that the cost of the time you're losing would be multiples of the cost of just implementing Windows DCs.