[Samba] Unable to create GPO "Allow log on locally"

mathias dufresne infractory at gmail.com
Fri Aug 5 12:35:13 UTC 2016

Not sure this could help, anyway I try : )

Here, with French speaking Windows, when we have to give rights to some
object using MS standard objects (as administrators, guest, authenticated
users...) we must use French syntax of these objects.
I expect this behaviour coming from the fact Windows systems know only one
language at a time (here our Windows systems are French dudes).

Anyway I had a look into our GPOs designed to add some AD group to
LOCAL\Administrators. When we created these GPOs I'm almost sure I had to
use "Administrateurs" and not "Administrators".
In our GptTmpl.inf it is the SID of that group which is used, not the
string version of the group name:
cat Machine/microsoft/windows\ nt/SecEdit/GptTmpl.inf
[Group Membership]
*S-1-5-21-0123456789-9876543210-0123456789-1558__Memberof = *S-1-5-32-544
*S-1-5-21-0123456789-9876543210-0123456789-1558__Members =

As you decided to use group name string rather than SID and because Samba
is speaking English (thanks to Samba team :D) you had to use English
version of that name.

A last note: when using Windows UI to search group or user the default
location of the search is AD domain. To be able to chose local user/group
you have to change that location and then select local computer name rather
domain name.
Once that is done if you look for "Administratoren" in that UI it should
refers to LOCAL\Administrators.

What's good is even you select local_computer_name\administrators this will
be transformed into SID (S-1-5-32-544 for local\administrators) and so this
GPO work on any computer, not only the one where was selected this local

I expect all these remarks related to local objects are still valid when
speaking about AD objects.

Hoping this could help, cheers,


2016-08-05 11:04 GMT+02:00 nanocosm at gmail.com <nanocosm at gmail.com>:

> Am 04.08.2016 um 17:11 schrieb lingpanda101 at gmail.com:
> > On 8/4/2016 10:11 AM, nanocosm at gmail.com wrote:
> >> Hi,
> >>
> >> I've a Samba 4.4.5 AD DC working fine.
> >> But when I try to create a GPO on "Computer Configuration>Policies>
> >> Windows Settings>Security Settings>Local Policies>User Rights
> >> Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
> >> to the listbox but I'm unable to apply.
> >>
> >> When I click "Ok" or "Apply" the dialog won't close.
> >>
> >> I tested this on a real Win2008R2 Server and it works here without
> >> problems.
> >>
> >> Any ideas how to get out there? There aare no logs (neiter on
> >> Samba-Server nor on the Windows RSAT client).
> >>
> >>
> >>
> >> Thanks in advance
> >>
> >>
> >
> > I created this policy twice. Once in the default 'Group Policy Objects'
> > container and one as a 'create a GPO in this domain, and link it
> > here...'. Both worked with the same user and groups you specified. This
> > is on a Windows 7 device using RSAT. Not sure what your issue is, but it
> > does seem to work.
> >
> Interestingly it seems to be related to a german Windows10/RSAT and the
> translation of "Administratoren"(EN:Administrators) built-in groups into
> the SID '*S-1-5-32-544'
> I've digged into GPO manually and edited the 'GptTmpl.inf' file. When I
> add all the groups manually it works and will be shown afterwards in the
> gpedit.msc.
> [Unicode]
> Unicode=yes
> [Version]
> signature="$CHICAGO$"
> Revision=1
> [Privilege Rights]
> SeInteractiveLogonRight =
> *S-1-5-32-544,*S-1-5-21-2350650622-768076714-1495782470-512,*S-1-5-21-
> 2350650622-768076714-1495782470-500,Administrators,*S-1-5-21-2350650622-
> 768076714-1495782470-1115
> Using Winows7/RSAT Tools for Win7 doesn't worked, probably because it
> was also in german. Next thing I want to try is using an englisch
> version of Win10/RSAT tools.
> I'll report back...
> --
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list