[Samba] GPO for Computer/Machine not working

Martin Tessun martin.tessun at gmx.de
Sun Oct 20 15:52:52 UTC 2019 

Hi all,

I am having the same issue that is described in an older thread here:  
https://lists.samba.org/archive/samba/2018-February/213656.html

The problem I am facing is that the machine accounts are not trusted  
in the domain (this is true for all Win 10 Systems). The issue with  
the computer is from my pov:


     Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet.
     ----------------------------------------------------------------------
         Local Admins Policy
             Filterung:  Verweigert (Sicherheit)

         Default Domain Policy
             Filterung:  Verweigert (Sicherheit)

         Richtlinien der lokalen Gruppe
             Filterung:  Nicht angewendet (Leer)

     Der Computer ist Mitglied der folgenden Sicherheitsgruppen
     ----------------------------------------------------------
         NULL SID
         NETZWERK
         Diese Organisation
         Nicht vertrauenswürdige Verbindlichkeitsstufe

Sorry, the Windows is German unfortunately, but what is happening is  
mainly that the PC doesn not have access to the SYSVOL share, as the  
Computer Account is not part of the correct security groups´(see  
above), but instead is part of:
- NULL SID
- NETWORK
- THIS ORGANISATION
- Untrusted Mandatory Level

 From my PoV the Computer should be part of:
- Authenticated Users
- Domain Computers
- High Mandatory Level

This is not the case and the reason the machine does not get access to  
the sysvol. This can also be seen within the details, as the gpt.ini  
can't be accessed (Policy Version 65535):

Verknüpfungsort ad.die-tessuns.de
Konfigurierte Erweiterungen {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Erzwungen Nein
Deaktiviert Keine
Sicherheitsfilter NT-AUTORITÄT\Authentifizierte Benutzer
Revision AD (2), SYSVOL (65535)
WMI-Filter
Grund: abgelehnt Zugriff verweigert (Sicherheitsfilterung)


Whereas the User has the correct security Groups:

    Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
     ----------------------------------------------------------
         Domain Users
         Jeder
         Benutzer
         INTERAKTIV
         KONSOLENANMELDUNG
         Authentifizierte Benutzer
         Diese Organisation
         LOKAL
         Local Admins
         Hohe Verbindlichkeitsstufe

So in English:
- Domain Users
- Everyone
- Users
- INTERACTIVE
- Console Logon
- Authenticated User
- This Organization
- Local
- Local Admins
- High Mandatory Level

Rejoining the Computer does not make any difference as well as  
adjusting the SYSVOL permissions as described in several threads. So  
from my pov the right thing to solve this issue is to get the computer  
account to the correct trustlevel/security group membership.

Unfortunately I found no way doing so.

So if anyone has an idea on what to do here would be greatly  
appreciated (BTW. Looking at effective user rights for the SYSVOL  
shares the machine account <COMPUTERNAME>$ as well as SYSTEM should  
have access rights. Unfortunately the GPO thinks otherwise.

Also note that Computer GPO is the only thing that is not working. And  
I also tried all the solution proposals listed in the aforementioned  
thread already - as expected with no success.

Thanks!
Martin

More information about the samba mailing list