[Samba] GPOs not Working!
lingpanda101
lingpanda101 at gmail.com
Tue Feb 6 19:20:27 UTC 2018
On 2/6/2018 2:03 PM, Robert Marcano via samba wrote:
> On 02/06/2018 02:52 PM, lingpanda101 via samba wrote:
>> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
>>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
>>>> Hello,
>>>>
>>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT
>>>> Kerberos (clean, not upgraded). I just wan to create/activating a
>>>> simple GPOs.
>>>>
>>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate
>>>>
>>>> # Interactive login: Do not displa last user name -> activate
>>>
>>>
>>> These look like machine level GPO. See the output of
>>>
>>> gpresult /v
>>>
>>> Mine say that machine based GPOs are not applied because of "Denied
>>> (Security)" and the GPO is the default one (This is a test domain)
>>> where the filter is for "Authenticated Users" and that include
>>> machine accounts.
>>>
>>> Running Samba Version 4.7.4.
>>>
>>> More details of the same problem (not solved) at this mailing list
>>> post https://lists.samba.org/archive/samba/2018-January/213333.html
>>>
>>>>
>>>> When im activating this Policys (no errors or something like that)
>>>> nothing happend.
>>>>
>>>> I reboot two Domain Members (Windows 7). Still showing last
>>>> username and CTRL + ALT + DEL. Also typed "gpudate /force", didn't
>>>> help. Also rejoined the clients.
>>>>
>>>> I configured the SYSVOL replication with this guide:
>>>>
>>>> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>>>>
>>>>
>>>> Tell me what information you need if isn't enough.
>>>>
>>>> I hope you can help!
>>>>
>>>> Thanks
>>>>
>>>> Micha
>>>>
>>>>
>>>>
>>>
>>>
>> I don't recommend modifying the default domain or default domain
>> controllers policy. Create separate ones and apply to either site or OU.
>>
> Thanks for the information, to use a default GPO was a simple way to
> try to encourage someone to reproduce the problem.
>
> I already created new GPOs (this is a test domain) Using the default
> filter for a new GPO, "Authenticated users", creating a new group for
> the test clients and using that as the filter, checking it have the
> right permissions (apply), checking every guide about applying GPO to
> computers. Using OUs and using domain level GPOs.
>
> What I find weird is that gpresult doesn't list the computer as a
> member of groups I create, only a few predefined ones:
>
> NULL SID
> NT AUTHORITY\NETWORK,
> This company,
> and something like "mandatory level of no trust" (Windows is not in
> english)
>
>
>
I think I understand a bit more. You are attempting to modify the
Security Filtering from Authenticated Users to a manually created group?
>From my testing this for some reason does not work. At least for me.
GPO's will not apply. That doesn't mean I'm not able to apply machine
account GPO's though. Am I correct?
--
--
James
More information about the samba
mailing list