Linux Active Directory (AD) integration is historically one of the most requested functionalities by our corporate users, and with Ubuntu Desktop 22.04, we introduced ADsys, our new Active Directory client. This blog post is the last of a series where we will explore the new functionalities in more detail. (Part 1 – Introduction, Part 2 – Group Policy Objects, Part 3 – Privilege Management)
In this article we will focus on how you can use Active Directory to schedule startup, shutdown, login or logout scripts on your managed desktops through ADsys.
In this area, as well as for all the other new features delivered by ADsys, we tried to offer a user experience as close as possible to the native one available in Microsoft Windows, with the aim of enabling IT admins to reuse the same knowledge and tools they acquired over the years to manage Ubuntu desktops.
The case for Active Directory remote script execution
Whether you need to map network drives, configure a printer or perform ad hoc activities, it is very important for IT teams to be able to remotely execute scripts on their managed clients. On Windows this is achieved through Active Directory management functionalities or, more recently, through Microsoft Endpoint Manager cloud offerings.
For linux desktops it has not historically been so straightforward. While there are a lot of paid and open source solutions which offer remote management functionalities, including Canonical Landscape, they are often yet another piece of infrastructure that sysadmins need to deploy, learn and harden. The lack of prior operational knowledge often results in a high total cost of ownership, increased attack surface and/or inefficient operations in the team.
Because of these pain points we decided to add the remote script execution functionality to our ADsys client. If you are using Active Directory for authentication you already have a piece of infrastructure that touches all your clients, which you now can use to schedule scripts at scale across your Ubuntu desktop estate.
Scheduling scripts with Active Directory
The remote script execution functionality allows the execution of shell scripts or any supported binary on the target machine (including Powershell if the relevant package is installed on Ubuntu). Active Directory can be configured to execute the script on behalf of the client or by impersonating other users.
To be executed the scripts have to be copied in the Active Directory sysvol folder and they are specific per distribution. To expose a new version to the system it is also necessary to create an appropriate GPT.ini file, and make sure it is updated every time a new version of the script is available. This can be done manually or through a daemon.
Once in the folder scripts can be enabled or isabled by navigating to the relevant Computer Scripts or User Scripts folder on the Ubuntu administrative templates, depending on whether you want them to tie them to the machine (startup/shutdown) or the users (login/logoff)
It is important that like in WIndows the script sessions are transactional, meaning that whenever machine boots up and connects to the domain controller it will download the latest available version of the script, however if a new version becomes available throughout the session it will not be executed until the next reboot/login.
Additional resources and how to get the new features
The features described in this blog post are available for free for all Ubuntu users, however you need an Ubuntu Advantage subscription to take advantage of the privilege management and remote scripts execution features. You can get a personal license free of charge using your Ubuntu SSO account. ADSys is supported on Ubuntu starting from 20.04.2 LTS, and tested with Windows Server 2019.
We have recently updated the Active Directory integration whitepaper to include a practical step by step guide to help you take you full advantage of the new features. If you want to know more about the inner workings of ADsys you can head to its Github page or read the product documentation.
If you want to learn more about Ubuntu Desktop, Ubuntu Advantage or our advanced Active Directory integration features please do not hesitate to contact us to discuss your needs with one of our advisors.