[Samba] GPOs not Working!

L.P.H. van Belle belle at bazuin.nl
Tue Feb 6 19:37:25 UTC 2018

now, im on a phone and no browser, so limit help.

first thing i see.
  CN=Bj”rn <User>,CN=Users,DC=rootrudi,DC=de

Bj”rn ? 
is your system set to utf8?
i dont know, but this does not look right.

i see, wifi? yes, try utp.
langsame Verbindung:500 kbps

and do try the ignore systemacl. 
that solves the user/group “nt authority\system” problems the easy way.


Op 6 feb. 2018 om 20:27 heeft Micha Ballmann via samba <samba at lists.samba.org> het volgende geschreven:

Thanks for help,

this is a new domain controller without any modifcations, except one 
GPO. I have the "Default Domain Policy" and created an addtional GPO, 
named "test_something". Both are linked at the top of the domain. I 
configured at the "test_something" GPO:

# Interactive logon: Do not require CTRL + ALT + DEL -> activate

# Interactive login: Do not displa last user name -> activate

Security Filter, by default:

 * Authenticated Users

Delegation Tab, also by default:

 * Authenticated Users
 * Domain Admins
 * Enterprise Admins
 * ServerLogon

gpresult /v shows:


Betriebssystem Microsoft (R) Windows (R) Gruppenrichtlinienergebnis-Tool 
Copyright (C) Microsoft Corp. 1981-2001

Am 06.02.2018, um 20:01:46 erstellt

RSOP-Daten f??r ROOTRUDI\<User> auf CLIENTWIN701: Protokollmodus

Betriebssystemkonfiguration: Mitglied der Dom„ne/Arbeitsgruppe
Betriebssystemversion:       6.1.7601
Standortname:                Nicht zutreffend
Zwischengespeichertes Profil:Nicht zutreffend
Lokales Profil:              C:\Users\<User>
Langsame Verbindung?         Nein

    CN=Bj”rn <User>,CN=Users,DC=rootrudi,DC=de
    Letzte Gruppenrichtlinienanwendung:   06.02.2018, um 20:01:12
    Gruppenrichtlinieanwendung von:       dc2.rootrudi.de
    Schwellenwert f??r langsame Verbindung:500 kbps
    Dom„nenname:                          ROOTRUDI
    Dom„nentyp:                           Windows 2000

*Angewendete Gruppenrichtlinienobjekte**
**    --------------------------------------**
**        Default Domain Policy**
**        test_something*

    Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet.
        Richtlinien der lokalen Gruppe
            Filterung:  Nicht angewendet (Leer)

    Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
        Domain Users
        Authentifizierte Benutzer
        Diese Organisation
        Mittlere Verbindlichkeitsstufe

    Der Benutzer verf??gt ??ber folgende Berechtigungen

    Richtlinienergebnissatz f??r Benutzer

            Nicht zutreffend

            Nicht zutreffend

            Nicht zutreffend

        Richtlinien ”ffentlicher Schl??ssel
            Nicht zutreffend

        Administrative Vorlagen
            Nicht zutreffend

            Nicht zutreffend

        Internet Explorer-Browserbenutzerschnittstelle
            Nicht zutreffend

        Internet Explorer-Verbindung
            Nicht zutreffend

        Internet Explorer-URLs
            Nicht zutreffend

        Internet Explorer-Sicherheit
            Nicht zutreffend

        Internet Explorer-Programme
            Nicht zutreffend


You see*test_something *was loaded corrctly, but the options i set up are not working.

"gpresult /H GPReport.html" shows the same.


Thy for help!

# Interactive login: Do not displa last user name -> activate

Am 06.02.2018 um 19:52 schrieb lingpanda101 via samba:
On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:

i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT 
Kerberos (clean, not upgraded). I just wan to create/activating a 
simple GPOs.

# Interactive logon: Do not require CTRL + ALT + DEL -> activate

# Interactive login: Do not displa last user name -> activate

These look like machine level GPO. See the output of

 gpresult /v

Mine say that machine based GPOs are not applied because of "Denied 
(Security)" and the GPO is the default one (This is a test domain) 
where the filter is for "Authenticated Users" and that include 
machine accounts.

Running Samba Version 4.7.4.

More details of the same problem (not solved) at this mailing list 
post https://lists.samba.org/archive/samba/2018-January/213333.html

When im activating this Policys (no errors or something like that) 
nothing happend.

I reboot two Domain Members (Windows 7). Still showing last username 
and CTRL + ALT + DEL. Also typed "gpudate /force", didn't help. Also 
rejoined the clients.

I configured the SYSVOL replication with this guide:


Tell me what information you need if isn't enough.

I hope you can help!



I don't recommend modifying the default domain or default domain 
controllers policy. Create separate ones and apply to either site or OU. 

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list