[Samba] GPOs not Working!

L.P.H. van Belle belle at bazuin.nl
Tue Feb 6 19:37:25 UTC 2018


now, im on a phone and no browser, so limit help.


first thing i see.
  CN=Bj”rn <User>,CN=Users,DC=rootrudi,DC=de


Bj”rn ? 
is your system set to utf8?
i dont know, but this does not look right.


i see, wifi? yes, try utp.
langsame Verbindung:500 kbps


and do try the ignore systemacl. 
that solves the user/group “nt authority\system” problems the easy way.


greetz
Louis

Op 6 feb. 2018 om 20:27 heeft Micha Ballmann via samba <samba at lists.samba.org> het volgende geschreven:


Thanks for help,

this is a new domain controller without any modifcations, except one 
GPO. I have the "Default Domain Policy" and created an addtional GPO, 
named "test_something". Both are linked at the top of the domain. I 
configured at the "test_something" GPO:

# Interactive logon: Do not require CTRL + ALT + DEL -> activate

# Interactive login: Do not displa last user name -> activate

Security Filter, by default:

 * Authenticated Users

Delegation Tab, also by default:

 * Authenticated Users
 * Domain Admins
 * Enterprise Admins
 * ServerLogon
 * SYSTEM

gpresult /v shows:

############################


Betriebssystem Microsoft (R) Windows (R) Gruppenrichtlinienergebnis-Tool 
v2.0
Copyright (C) Microsoft Corp. 1981-2001

Am 06.02.2018, um 20:01:46 erstellt



RSOP-Daten f??r ROOTRUDI\<User> auf CLIENTWIN701: Protokollmodus
---------------------------------------------------------------

Betriebssystemkonfiguration: Mitglied der Dom„ne/Arbeitsgruppe
Betriebssystemversion:       6.1.7601
Standortname:                Nicht zutreffend
Zwischengespeichertes Profil:Nicht zutreffend
Lokales Profil:              C:\Users\<User>
Langsame Verbindung?         Nein


BENUTZEREINSTELLUNGEN
----------------------
    CN=Bj”rn <User>,CN=Users,DC=rootrudi,DC=de
    Letzte Gruppenrichtlinienanwendung:   06.02.2018, um 20:01:12
    Gruppenrichtlinieanwendung von:       dc2.rootrudi.de
    Schwellenwert f??r langsame Verbindung:500 kbps
    Dom„nenname:                          ROOTRUDI
    Dom„nentyp:                           Windows 2000

*Angewendete Gruppenrichtlinienobjekte**
**    --------------------------------------**
**        Default Domain Policy**
**        test_something*

    Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet.
----------------------------------------------------------------------
        Richtlinien der lokalen Gruppe
            Filterung:  Nicht angewendet (Leer)

    Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
    ----------------------------------------------------------
        Domain Users
        Jeder
        Benutzer
        INTERAKTIV
        KONSOLENANMELDUNG
        Authentifizierte Benutzer
        Diese Organisation
        LOKAL
        mitarbeiter
        rzm
        Mittlere Verbindlichkeitsstufe

    Der Benutzer verf??gt ??ber folgende Berechtigungen
    -------------------------------------------------


    Richtlinienergebnissatz f??r Benutzer
    -------------------------------------

        Softwareinstallationen
        ----------------------
            Nicht zutreffend

        Anmeldeskripts
        --------------
            Nicht zutreffend

        Abmeldeskripts
        --------------
            Nicht zutreffend

        Richtlinien ”ffentlicher Schl??ssel
        ----------------------------------
            Nicht zutreffend

        Administrative Vorlagen
        -----------------------
            Nicht zutreffend

        Ordnerumleitung
        ---------------
            Nicht zutreffend

        Internet Explorer-Browserbenutzerschnittstelle
        ----------------------------------------------
            Nicht zutreffend

        Internet Explorer-Verbindung
        ----------------------------
            Nicht zutreffend

        Internet Explorer-URLs
        ----------------------
            Nicht zutreffend

        Internet Explorer-Sicherheit
        ----------------------------
            Nicht zutreffend

        Internet Explorer-Programme
        ---------------------------
            Nicht zutreffend

############################

You see*test_something *was loaded corrctly, but the options i set up are not working.

"gpresult /H GPReport.html" shows the same.

https://www.uni-landau.de/MichaB/gpresult.html

Thy for help!
Micha








# Interactive login: Do not displa last user name -> activate


Am 06.02.2018 um 19:52 schrieb lingpanda101 via samba:
On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
Hello,

i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT 
Kerberos (clean, not upgraded). I just wan to create/activating a 
simple GPOs.

# Interactive logon: Do not require CTRL + ALT + DEL -> activate

# Interactive login: Do not displa last user name -> activate


These look like machine level GPO. See the output of

 gpresult /v

Mine say that machine based GPOs are not applied because of "Denied 
(Security)" and the GPO is the default one (This is a test domain) 
where the filter is for "Authenticated Users" and that include 
machine accounts.

Running Samba Version 4.7.4.

More details of the same problem (not solved) at this mailing list 
post https://lists.samba.org/archive/samba/2018-January/213333.html


When im activating this Policys (no errors or something like that) 
nothing happend.

I reboot two Domain Members (Windows 7). Still showing last username 
and CTRL + ALT + DEL. Also typed "gpudate /force", didn't help. Also 
rejoined the clients.

I configured the SYSVOL replication with this guide:

https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround 


Tell me what information you need if isn't enough.

I hope you can help!

Thanks

Micha





I don't recommend modifying the default domain or default domain 
controllers policy. Create separate ones and apply to either site or OU. 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list