[Samba] Unable to create GPO "Allow log on locally"

nanocosm at gmail.com nanocosm at gmail.com
Fri Aug 5 09:04:37 UTC 2016

Am 04.08.2016 um 17:11 schrieb lingpanda101 at gmail.com:
> On 8/4/2016 10:11 AM, nanocosm at gmail.com wrote:
>> Hi,
>> I've a Samba 4.4.5 AD DC working fine.
>> But when I try to create a GPO on "Computer Configuration>Policies>
>> Windows Settings>Security Settings>Local Policies>User Rights
>> Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
>> to the listbox but I'm unable to apply.
>> When I click "Ok" or "Apply" the dialog won't close.
>> I tested this on a real Win2008R2 Server and it works here without
>> problems.
>> Any ideas how to get out there? There aare no logs (neiter on
>> Samba-Server nor on the Windows RSAT client).
>> Thanks in advance
> I created this policy twice. Once in the default 'Group Policy Objects'
> container and one as a 'create a GPO in this domain, and link it
> here...'. Both worked with the same user and groups you specified. This
> is on a Windows 7 device using RSAT. Not sure what your issue is, but it
> does seem to work.

Interestingly it seems to be related to a german Windows10/RSAT and the
translation of "Administratoren"(EN:Administrators) built-in groups into
the SID '*S-1-5-32-544'

I've digged into GPO manually and edited the 'GptTmpl.inf' file. When I
add all the groups manually it works and will be shown afterwards in the

[Privilege Rights]
SeInteractiveLogonRight =

Using Winows7/RSAT Tools for Win7 doesn't worked, probably because it
was also in german. Next thing I want to try is using an englisch
version of Win10/RSAT tools.
I'll report back...


More information about the samba mailing list