[Samba] GPOs not Working!
Robert Marcano
robert at marcanoonline.com
Tue Feb 6 19:29:48 UTC 2018
On 02/06/2018 03:20 PM, lingpanda101 via samba wrote:
> On 2/6/2018 2:03 PM, Robert Marcano via samba wrote:
>> On 02/06/2018 02:52 PM, lingpanda101 via samba wrote:
>>> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
>>>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
>>>>> Hello,
>>>>>
>>>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT
>>>>> Kerberos (clean, not upgraded). I just wan to create/activating a
>>>>> simple GPOs.
>>>>>
>>>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate
>>>>>
>>>>> # Interactive login: Do not displa last user name -> activate
>>>>
>>>>
>>>> These look like machine level GPO. See the output of
>>>>
>>>> gpresult /v
>>>>
>>>> Mine say that machine based GPOs are not applied because of "Denied
>>>> (Security)" and the GPO is the default one (This is a test domain)
>>>> where the filter is for "Authenticated Users" and that include
>>>> machine accounts.
>>>>
>>>> Running Samba Version 4.7.4.
>>>>
>>>> More details of the same problem (not solved) at this mailing list
>>>> post https://lists.samba.org/archive/samba/2018-January/213333.html
>>>>
>>>>>
>>>>> When im activating this Policys (no errors or something like that)
>>>>> nothing happend.
>>>>>
>>>>> I reboot two Domain Members (Windows 7). Still showing last
>>>>> username and CTRL + ALT + DEL. Also typed "gpudate /force", didn't
>>>>> help. Also rejoined the clients.
>>>>>
>>>>> I configured the SYSVOL replication with this guide:
>>>>>
>>>>> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>>>>>
>>>>>
>>>>> Tell me what information you need if isn't enough.
>>>>>
>>>>> I hope you can help!
>>>>>
>>>>> Thanks
>>>>>
>>>>> Micha
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> I don't recommend modifying the default domain or default domain
>>> controllers policy. Create separate ones and apply to either site or OU.
>>>
>> Thanks for the information, to use a default GPO was a simple way to
>> try to encourage someone to reproduce the problem.
>>
>> I already created new GPOs (this is a test domain) Using the default
>> filter for a new GPO, "Authenticated users", creating a new group for
>> the test clients and using that as the filter, checking it have the
>> right permissions (apply), checking every guide about applying GPO to
>> computers. Using OUs and using domain level GPOs.
>>
>> What I find weird is that gpresult doesn't list the computer as a
>> member of groups I create, only a few predefined ones:
>>
>> NULL SID
>> NT AUTHORITY\NETWORK,
>> This company,
>> and something like "mandatory level of no trust" (Windows is not in
>> english)
>>
>>
>>
> I think I understand a bit more. You are attempting to modify the
> Security Filtering from Authenticated Users to a manually created group?
> From my testing this for some reason does not work. At least for me.
> GPO's will not apply. That doesn't mean I'm not able to apply machine
> account GPO's though. Am I correct?
>
On my initial test I was just trying to set a computer level GPO, It
didn't work (on default GPO or new GPOs), I did not modified the default
filter that a GPO have. I created new GPOs, and new groups as a test if
some other configuration worked.
Another response just received say I should not call sysvolreset after
creating GPOs. I don't remember at what time I used sysvolreset trying
to make these GPOs to be applied, so I will need to test again.
More information about the samba
mailing list