[Samba] GPO for Computer/Machine not working

Sun Oct 20 17:16:44 UTC 2019

On 20/10/2019 16:52, Martin Tessun via samba wrote:
> Hi all,
>
> I am having the same issue that is described in an older thread here: 
> https://lists.samba.org/archive/samba/2018-February/213656.html
>
> The problem I am facing is that the machine accounts are not trusted 
> in the domain (this is true for all Win 10 Systems). The issue with 
> the computer is from my pov:
>
>
>     Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet.
> ----------------------------------------------------------------------
>         Local Admins Policy
>             Filterung:  Verweigert (Sicherheit)
>
>         Default Domain Policy
>             Filterung:  Verweigert (Sicherheit)
>
>         Richtlinien der lokalen Gruppe
>             Filterung:  Nicht angewendet (Leer)
>
>     Der Computer ist Mitglied der folgenden Sicherheitsgruppen
>     ----------------------------------------------------------
>         NULL SID
>         NETZWERK
>         Diese Organisation
>         Nicht vertrauenswürdige Verbindlichkeitsstufe
>
> Sorry, the Windows is German unfortunately, but what is happening is 
> mainly that the PC doesn not have access to the SYSVOL share, as the 
> Computer Account is not part of the correct security groups´(see 
> above), but instead is part of:
> - NULL SID
> - NETWORK
> - THIS ORGANISATION
> - Untrusted Mandatory Level
>
> From my PoV the Computer should be part of:
> - Authenticated Users
> - Domain Computers
> - High Mandatory Level
>
> This is not the case and the reason the machine does not get access to 
> the sysvol. This can also be seen within the details, as the gpt.ini 
> can't be accessed (Policy Version 65535):
>
> Verknüpfungsort ad.die-tessuns.de
> Konfigurierte Erweiterungen {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
> Erzwungen Nein
> Deaktiviert Keine
> Sicherheitsfilter NT-AUTORITÄT\Authentifizierte Benutzer
> Revision AD (2), SYSVOL (65535)
> WMI-Filter
> Grund: abgelehnt Zugriff verweigert (Sicherheitsfilterung)
>
>
> Whereas the User has the correct security Groups:
>
>    Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
>     ----------------------------------------------------------
>         Domain Users
>         Jeder
>         Benutzer
>         INTERAKTIV
>         KONSOLENANMELDUNG
>         Authentifizierte Benutzer
>         Diese Organisation
>         LOKAL
>         Local Admins
>         Hohe Verbindlichkeitsstufe
>
> So in English:
> - Domain Users
> - Everyone
> - Users
> - INTERACTIVE
> - Console Logon
> - Authenticated User
> - This Organization
> - Local
> - Local Admins
> - High Mandatory Level
>
> Rejoining the Computer does not make any difference as well as 
> adjusting the SYSVOL permissions as described in several threads. So 
> from my pov the right thing to solve this issue is to get the computer 
> account to the correct trustlevel/security group membership.
>
> Unfortunately I found no way doing so.
>
> So if anyone has an idea on what to do here would be greatly 
> appreciated (BTW. Looking at effective user rights for the SYSVOL 
> shares the machine account <COMPUTERNAME>$ as well as SYSTEM should 
> have access rights. Unfortunately the GPO thinks otherwise.
>
> Also note that Computer GPO is the only thing that is not working. And 
> I also tried all the solution proposals listed in the aforementioned 
> thread already - as expected with no success.
>
> Thanks!
> Martin
>
Just to make sure, are you modifying either of the two default GPOs ?

Rowland