[Samba] Unable to create GPO "Allow log on locally"

nanocosm at gmail.com nanocosm at gmail.com
Mon Aug 8 10:09:40 UTC 2016

Well, I've set up a completely new test AD Domain with Samba 4.4.5 and
one Windows 10 Client running RSAT tools in an isolated VM net.

Creating a new empty GPO using RSAT tools
Computer Configuration->
    Windows  Settings->
      Security Settings->
        Local Policies->
          User Rights Assignment->
            Allow Logon Locally"
does not work. I am able to add users/groups to the listbox but I'm
unable to "Apply" or "Ok".
The RSAT Dialog will refuse to apply with the message
 "Administrators must be granted the logon local right" and the Dialog
stays open.

It does not matter which version of Windows or which language is being

To reproduce just try to add "DOMAIN\Administrator" or
"CLIENT\Administrator" to the GPO mentioned above with any recent RSAT
Client on a Samba 4.4.5 DC.

It is possible to edit these information inside the GPO file
"GptTmpl.inf" using the right SIDs and it will work then. Also the
Usernames will be shown correctly in RSAT after adding them manually.
(Well I would do it this way but my colleagues won't manually edit the
files I bet. So this is nothing I can advise the 'rest of the world'
especially  ;-)

Doing the same on a Windows 2008R2 DC everything works as expected.

When I increase logging on samba with log level = all:255 there's no
relevant output. Some messages when accessing the GPOs but no logs when
trying to apply.

Am I missing something or is this a samba bug?
On which Samba-Version is this working?
Currently I've no clue where to start on resolving these problems...

Any help is very appreciated

Am 05.08.2016 um 14:35 schrieb mathias dufresne:
> Oops, sorry, my gmail box did not show me there was already replies...
> 2016-08-05 14:35 GMT+02:00 mathias dufresne <infractory at gmail.com
> <mailto:infractory at gmail.com>>:
>     Not sure this could help, anyway I try : )
>     Here, with French speaking Windows, when we have to give rights to
>     some object using MS standard objects (as administrators, guest,
>     authenticated users...) we must use French syntax of these objects.
>     I expect this behaviour coming from the fact Windows systems know
>     only one language at a time (here our Windows systems are French dudes).
>     Anyway I had a look into our GPOs designed to add some AD group to
>     LOCAL\Administrators. When we created these GPOs I'm almost sure I
>     had to use "Administrateurs" and not "Administrators".
>     In our GptTmpl.inf it is the SID of that group which is used, not
>     the string version of the group name:
>     cat Machine/microsoft/windows\ nt/SecEdit/GptTmpl.inf
>     [Unicode]
>     Unicode=yes
>     [Version]
>     signature="$CHICAGO$"
>     Revision=1
>     [Group Membership]
>     *S-1-5-21-0123456789-9876543210-0123456789-1558__Memberof =
>     *S-1-5-32-544
>     *S-1-5-21-0123456789-9876543210-0123456789-1558__Members =
>     As you decided to use group name string rather than SID and because
>     Samba is speaking English (thanks to Samba team :D) you had to use
>     English version of that name.
>     A last note: when using Windows UI to search group or user the
>     default location of the search is AD domain. To be able to chose
>     local user/group you have to change that location and then select
>     local computer name rather domain name.
>     Once that is done if you look for "Administratoren" in that UI it
>     should refers to LOCAL\Administrators.
>     What's good is even you select local_computer_name\administrators
>     this will be transformed into SID (S-1-5-32-544 for
>     local\administrators) and so this GPO work on any computer, not only
>     the one where was selected this local group.
>     I expect all these remarks related to local objects are still valid
>     when speaking about AD objects.
>     Hoping this could help, cheers,
>     Mathias
>     2016-08-05 11:04 GMT+02:00 nanocosm at gmail.com
>     <mailto:nanocosm at gmail.com> <nanocosm at gmail.com
>     <mailto:nanocosm at gmail.com>>:
>         Am 04.08.2016 um 17:11 schrieb lingpanda101 at gmail.com
>         <mailto:lingpanda101 at gmail.com>:
>         > On 8/4/2016 10:11 AM, nanocosm at gmail.com <mailto:nanocosm at gmail.com> wrote:
>         >> Hi,
>         >>
>         >> I've a Samba 4.4.5 AD DC working fine.
>         >> But when I try to create a GPO on "Computer Configuration>Policies>
>         >> Windows Settings>Security Settings>Local Policies>User Rights
>         >> Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
>         >> to the listbox but I'm unable to apply.
>         >>
>         >> When I click "Ok" or "Apply" the dialog won't close.
>         >>
>         >> I tested this on a real Win2008R2 Server and it works here without
>         >> problems.
>         >>
>         >> Any ideas how to get out there? There aare no logs (neiter on
>         >> Samba-Server nor on the Windows RSAT client).
>         >>
>         >>
>         >>
>         >> Thanks in advance
>         >>
>         >>
>         >
>         > I created this policy twice. Once in the default 'Group Policy Objects'
>         > container and one as a 'create a GPO in this domain, and link it
>         > here...'. Both worked with the same user and groups you specified. This
>         > is on a Windows 7 device using RSAT. Not sure what your issue is, but it
>         > does seem to work.
>         >
>         Interestingly it seems to be related to a german Windows10/RSAT
>         and the
>         translation of "Administratoren"(EN:Administrators) built-in
>         groups into
>         the SID '*S-1-5-32-544'
>         I've digged into GPO manually and edited the 'GptTmpl.inf' file.
>         When I
>         add all the groups manually it works and will be shown
>         afterwards in the
>         gpedit.msc.
>         [Unicode]
>         Unicode=yes
>         [Version]
>         signature="$CHICAGO$"
>         Revision=1
>         [Privilege Rights]
>         SeInteractiveLogonRight =
>         *S-1-5-32-544,*S-1-5-21-2350650622-768076714-1495782470-512,*S-1-5-21-2350650622-768076714-1495782470-500,Administrators,*S-1-5-21-2350650622-768076714-1495782470-1115
>         Using Winows7/RSAT Tools for Win7 doesn't worked, probably
>         because it
>         was also in german. Next thing I want to try is using an englisch
>         version of Win10/RSAT tools.
>         I'll report back...
>         --
>         --
>         To unsubscribe from this list go to the following URL and read the
>         instructions:  https://lists.samba.org/mailman/options/samba
>         <https://lists.samba.org/mailman/options/samba>


More information about the samba mailing list