samba4, default domain policy provisioned as "Enforced" which means "No override"

Douglas VanLeuven roamdad at sonic.net
Tue Mar 4 22:16:50 GMT 2008


AD descriptions get so looong.  Hard to get a short subject. Sorry.

If the default domain policy is enforced, it doesn't work to get link
enabled group policy on subordinate OU's to override default policy.

I believe this is contrary to normal windows behavior and certainly
going to cause sysadmins grief when the subordinate OU group policy
doesn't appear to work.  It got me for about 8 hours.  Since current
domain policy doesn't allow changing delegation, or altering any domain
settings in group policy console (thats another issue), the only way to
fix it is to edit the directory directly.

attribute gPlink in the domain's base DN

[LDAP://CN=(<default policy ID>),CN=Policies,CN=System,DC=...,DC=com;2]

The 2 means enforced, 0 would be link enabled.

One of the ways Windows inhibits alteration of the default domain policy
by the attribute systemFlags = -1946157056 in the CN for the policy

 systemFlags: 0x8C000000 = ( FLAG_DISALLOW_DELETE |
FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE );

Hopefully someone will dialog with me about what the design criteria was
here.

Regards, Doug


More information about the samba-technical mailing list