[Samba] Machine level GPO always denied with "Filter: Denied (Security)
robert at marcanoonline.com
Wed Jan 17 13:47:01 UTC 2018
I have provisioned a test AD domain (single DC initially), and joined a
single workstation to it. When I use the "Default Domain Policy" that
already exist on the newly domain tree, the user level policies are applied
perfectly, but machine level policies don't.
The "Default Domain Policy" includes "Authenticated Users" read and apply
on the delegation tab.
"gpupdate /force" say machine and user policies were updated. There is no
error on the Windows error log.
"gpresult /v" sat the "Default Domain Policy" was filtered because of
"Denied (Security)". I find it weird that gpresult show only these groups
as the machine being member of
and something like "mandatory level of no trust" (Windows is not in
gpresult does not say the machine is part of Authenticated Users or Domain
Computers. What could be wrong here? what is that NULL SID?
Running Samba Version 4.7.4.
samba-tool ntacl sysvolcheck says permissions errors every time I update
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/
does not match expected value
from GPO object
"samba-tool ntacl sysvolreset" fix the error but the machine level GPO is
not applied even after it
Thanks in advance
More information about the samba