[Samba] GPOs not Working!
Micha Ballmann
ballmann at uni-landau.de
Tue Feb 6 21:06:12 UTC 2018
I also tried "samba-tool ntacl sysvolreset". Did not help.
Thy
Am 6. Februar 2018 20:29:48 MEZ schrieb Robert Marcano via samba <samba at lists.samba.org>:
>On 02/06/2018 03:20 PM, lingpanda101 via samba wrote:
>> On 2/6/2018 2:03 PM, Robert Marcano via samba wrote:
>>> On 02/06/2018 02:52 PM, lingpanda101 via samba wrote:
>>>> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
>>>>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
>>>>>> Hello,
>>>>>>
>>>>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 -
>MIT
>>>>>> Kerberos (clean, not upgraded). I just wan to create/activating a
>
>>>>>> simple GPOs.
>>>>>>
>>>>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate
>>>>>>
>>>>>> # Interactive login: Do not displa last user name -> activate
>>>>>
>>>>>
>>>>> These look like machine level GPO. See the output of
>>>>>
>>>>> gpresult /v
>>>>>
>>>>> Mine say that machine based GPOs are not applied because of
>"Denied
>>>>> (Security)" and the GPO is the default one (This is a test domain)
>
>>>>> where the filter is for "Authenticated Users" and that include
>>>>> machine accounts.
>>>>>
>>>>> Running Samba Version 4.7.4.
>>>>>
>>>>> More details of the same problem (not solved) at this mailing list
>
>>>>> post
>https://lists.samba.org/archive/samba/2018-January/213333.html
>>>>>
>>>>>>
>>>>>> When im activating this Policys (no errors or something like
>that)
>>>>>> nothing happend.
>>>>>>
>>>>>> I reboot two Domain Members (Windows 7). Still showing last
>>>>>> username and CTRL + ALT + DEL. Also typed "gpudate /force",
>didn't
>>>>>> help. Also rejoined the clients.
>>>>>>
>>>>>> I configured the SYSVOL replication with this guide:
>>>>>>
>>>>>>
>https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>
>>>>>>
>>>>>>
>>>>>> Tell me what information you need if isn't enough.
>>>>>>
>>>>>> I hope you can help!
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Micha
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>> I don't recommend modifying the default domain or default domain
>>>> controllers policy. Create separate ones and apply to either site
>or OU.
>>>>
>>> Thanks for the information, to use a default GPO was a simple way to
>
>>> try to encourage someone to reproduce the problem.
>>>
>>> I already created new GPOs (this is a test domain) Using the default
>
>>> filter for a new GPO, "Authenticated users", creating a new group
>for
>>> the test clients and using that as the filter, checking it have the
>>> right permissions (apply), checking every guide about applying GPO
>to
>>> computers. Using OUs and using domain level GPOs.
>>>
>>> What I find weird is that gpresult doesn't list the computer as a
>>> member of groups I create, only a few predefined ones:
>>>
>>> NULL SID
>>> NT AUTHORITY\NETWORK,
>>> This company,
>>> and something like "mandatory level of no trust" (Windows is not
>in
>>> english)
>>>
>>>
>>>
>> I think I understand a bit more. You are attempting to modify the
>> Security Filtering from Authenticated Users to a manually created
>group?
>> From my testing this for some reason does not work. At least for me.
>> GPO's will not apply. That doesn't mean I'm not able to apply
>machine
>> account GPO's though. Am I correct?
>>
>
>
>On my initial test I was just trying to set a computer level GPO, It
>didn't work (on default GPO or new GPOs), I did not modified the
>default
>filter that a GPO have. I created new GPOs, and new groups as a test if
>
>some other configuration worked.
>
>Another response just received say I should not call sysvolreset after
>creating GPOs. I don't remember at what time I used sysvolreset trying
>to make these GPOs to be applied, so I will need to test again.
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
More information about the samba
mailing list