[Samba] Unable to create GPO "Allow log on locally"
nanocosm at gmail.com
nanocosm at gmail.com
Fri Aug 5 09:04:37 UTC 2016
Am 04.08.2016 um 17:11 schrieb lingpanda101 at gmail.com:
> On 8/4/2016 10:11 AM, nanocosm at gmail.com wrote:
>> Hi,
>>
>> I've a Samba 4.4.5 AD DC working fine.
>> But when I try to create a GPO on "Computer Configuration>Policies>
>> Windows Settings>Security Settings>Local Policies>User Rights
>> Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
>> to the listbox but I'm unable to apply.
>>
>> When I click "Ok" or "Apply" the dialog won't close.
>>
>> I tested this on a real Win2008R2 Server and it works here without
>> problems.
>>
>> Any ideas how to get out there? There aare no logs (neiter on
>> Samba-Server nor on the Windows RSAT client).
>>
>>
>>
>> Thanks in advance
>>
>>
>
> I created this policy twice. Once in the default 'Group Policy Objects'
> container and one as a 'create a GPO in this domain, and link it
> here...'. Both worked with the same user and groups you specified. This
> is on a Windows 7 device using RSAT. Not sure what your issue is, but it
> does seem to work.
>
Interestingly it seems to be related to a german Windows10/RSAT and the
translation of "Administratoren"(EN:Administrators) built-in groups into
the SID '*S-1-5-32-544'
I've digged into GPO manually and edited the 'GptTmpl.inf' file. When I
add all the groups manually it works and will be shown afterwards in the
gpedit.msc.
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeInteractiveLogonRight =
*S-1-5-32-544,*S-1-5-21-2350650622-768076714-1495782470-512,*S-1-5-21-2350650622-768076714-1495782470-500,Administrators,*S-1-5-21-2350650622-768076714-1495782470-1115
Using Winows7/RSAT Tools for Win7 doesn't worked, probably because it
was also in german. Next thing I want to try is using an englisch
version of Win10/RSAT tools.
I'll report back...
--
More information about the samba
mailing list