[Samba] GPO for Computer/Machine not working
Rowland penny
rpenny at samba.org
Sun Oct 20 17:16:44 UTC 2019
On 20/10/2019 16:52, Martin Tessun via samba wrote:
> Hi all,
>
> I am having the same issue that is described in an older thread here:
> https://lists.samba.org/archive/samba/2018-February/213656.html
>
> The problem I am facing is that the machine accounts are not trusted
> in the domain (this is true for all Win 10 Systems). The issue with
> the computer is from my pov:
>
>
> Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet.
> ----------------------------------------------------------------------
> Local Admins Policy
> Filterung: Verweigert (Sicherheit)
>
> Default Domain Policy
> Filterung: Verweigert (Sicherheit)
>
> Richtlinien der lokalen Gruppe
> Filterung: Nicht angewendet (Leer)
>
> Der Computer ist Mitglied der folgenden Sicherheitsgruppen
> ----------------------------------------------------------
> NULL SID
> NETZWERK
> Diese Organisation
> Nicht vertrauenswürdige Verbindlichkeitsstufe
>
> Sorry, the Windows is German unfortunately, but what is happening is
> mainly that the PC doesn not have access to the SYSVOL share, as the
> Computer Account is not part of the correct security groups´(see
> above), but instead is part of:
> - NULL SID
> - NETWORK
> - THIS ORGANISATION
> - Untrusted Mandatory Level
>
> From my PoV the Computer should be part of:
> - Authenticated Users
> - Domain Computers
> - High Mandatory Level
>
> This is not the case and the reason the machine does not get access to
> the sysvol. This can also be seen within the details, as the gpt.ini
> can't be accessed (Policy Version 65535):
>
> Verknüpfungsort ad.die-tessuns.de
> Konfigurierte Erweiterungen {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
> Erzwungen Nein
> Deaktiviert Keine
> Sicherheitsfilter NT-AUTORITÄT\Authentifizierte Benutzer
> Revision AD (2), SYSVOL (65535)
> WMI-Filter
> Grund: abgelehnt Zugriff verweigert (Sicherheitsfilterung)
>
>
> Whereas the User has the correct security Groups:
>
> Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
> ----------------------------------------------------------
> Domain Users
> Jeder
> Benutzer
> INTERAKTIV
> KONSOLENANMELDUNG
> Authentifizierte Benutzer
> Diese Organisation
> LOKAL
> Local Admins
> Hohe Verbindlichkeitsstufe
>
> So in English:
> - Domain Users
> - Everyone
> - Users
> - INTERACTIVE
> - Console Logon
> - Authenticated User
> - This Organization
> - Local
> - Local Admins
> - High Mandatory Level
>
> Rejoining the Computer does not make any difference as well as
> adjusting the SYSVOL permissions as described in several threads. So
> from my pov the right thing to solve this issue is to get the computer
> account to the correct trustlevel/security group membership.
>
> Unfortunately I found no way doing so.
>
> So if anyone has an idea on what to do here would be greatly
> appreciated (BTW. Looking at effective user rights for the SYSVOL
> shares the machine account <COMPUTERNAME>$ as well as SYSTEM should
> have access rights. Unfortunately the GPO thinks otherwise.
>
> Also note that Computer GPO is the only thing that is not working. And
> I also tried all the solution proposals listed in the aforementioned
> thread already - as expected with no success.
>
> Thanks!
> Martin
>
Just to make sure, are you modifying either of the two default GPOs ?
Rowland
More information about the samba
mailing list