[Samba] GPO for Computer/Machine not working
Martin Tessun
martin.tessun at gmx.de
Thu Oct 31 09:03:38 UTC 2019
Hi all,
On 21.10.19 17:38, Martin Tessun wrote:
> Hi Rowland,
>
> On 20.10.19 19:16, Rowland penny wrote:
>> On 20/10/2019 16:52, Martin Tessun via samba wrote:
>>> Hi all,
>>>
>>> I am having the same issue that is described in an older thread
>>> here: https://lists.samba.org/archive/samba/2018-February/213656.html
>>>
>>> The problem I am facing is that the machine accounts are not trusted
>>> in the domain (this is true for all Win 10 Systems). The issue with
>>> the computer is from my pov:
>>>
>>>
>>> Folgende herausgefilterte Gruppenrichtlinien werdennicht
>>> angewendet.
>>> ----------------------------------------------------------------------
>>> Local Admins Policy
>>> Filterung: Verweigert (Sicherheit)
>>>
>>> Default Domain Policy
>>> Filterung: Verweigert (Sicherheit)
>>>
>>> Richtlinien der lokalen Gruppe
>>> Filterung: Nicht angewendet (Leer)
>>>
>>> Der Computer ist Mitglied der folgenden Sicherheitsgruppen
>>> ----------------------------------------------------------
>>> NULL SID
>>> NETZWERK
>>> Diese Organisation
>>> Nicht vertrauenswürdige Verbindlichkeitsstufe
>>>
>>> Sorry, the Windows is German unfortunately, but what is happening is
>>> mainly that the PC doesn not have access to the SYSVOL share, as the
>>> Computer Account is not part of the correct security groups´(see
>>> above), but instead is part of:
>>> - NULL SID
>>> - NETWORK
>>> - THIS ORGANISATION
>>> - Untrusted Mandatory Level
>>>
>>> From my PoV the Computer should be part of:
>>> - Authenticated Users
>>> - Domain Computers
>>> - High Mandatory Level
>>>
>>> This is not the case and the reason the machine does not get access
>>> to the sysvol. This can also be seen within the details, as the
>>> gpt.ini can't be accessed (Policy Version 65535):
>>>
>>> Verknüpfungsort ad.die-tessuns.de
>>> Konfigurierte Erweiterungen {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
>>> Erzwungen Nein
>>> Deaktiviert Keine
>>> Sicherheitsfilter NT-AUTORITÄT\Authentifizierte Benutzer
>>> Revision AD (2), SYSVOL (65535)
>>> WMI-Filter
>>> Grund: abgelehnt Zugriff verweigert (Sicherheitsfilterung)
>>>
>>>
>>> Whereas the User has the correct security Groups:
>>>
>>> Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
>>> ----------------------------------------------------------
>>> Domain Users
>>> Jeder
>>> Benutzer
>>> INTERAKTIV
>>> KONSOLENANMELDUNG
>>> Authentifizierte Benutzer
>>> Diese Organisation
>>> LOKAL
>>> Local Admins
>>> Hohe Verbindlichkeitsstufe
>>>
>>> So in English:
>>> - Domain Users
>>> - Everyone
>>> - Users
>>> - INTERACTIVE
>>> - Console Logon
>>> - Authenticated User
>>> - This Organization
>>> - Local
>>> - Local Admins
>>> - High Mandatory Level
>>>
>>> Rejoining the Computer does not make any difference as well as
>>> adjusting the SYSVOL permissions as described in several threads. So
>>> from my pov the right thing to solve this issue is to get the
>>> computer account to the correct trustlevel/security group membership.
>>>
>>> Unfortunately I found no way doing so.
>>>
>>> So if anyone has an idea on what to do here would be greatly
>>> appreciated (BTW. Looking at effective user rights for the SYSVOL
>>> shares the machine account <COMPUTERNAME>$ as well as SYSTEM should
>>> have access rights. Unfortunately the GPO thinks otherwise.
>>>
>>> Also note that Computer GPO is the only thing that is not working.
>>> And I also tried all the solution proposals listed in the
>>> aforementioned thread already - as expected with no success.
>>>
>>> Thanks!
>>> Martin
>>>
>> Just to make sure, are you modifying either of the two default GPOs ?
>>
>
> This doesn't make any difference at all. I tried it with the Default
> Domain Policy as well as a separate policy. The results are all the
> same. As said, I tried all the proposed solutions in the old thread I
> linked.
> Please also note that all GPOs for Users get applied and work (as the
> users have the "correct" Security Groups), but computer accounts are
> not able to apply the GPO.
>
> Even opening up the SYSVOL share for everyone does not help - as the
> machine is part of "NULL SID" and "Untrusted Mandatory Level" which
> leads to the machine account not having any access to any share in the
> domain regardless of its security.
>
> The machine account itself is in "Domain Computers" and if I check the
> %COMPUTERNAME%$ account to the share it *should* have access.
> Unfortunately the GPO tooling of Microsoft thinks differently - that
> is why it is not part of "Authenticated Users" as it should be
> according to MS.
>
> This is how a machine/computer should look like in terms of Security
> Groups in AD (at the very least):
>
> The computer is a part of the following security groups:
> --------------------------------------------------------
> Everyone
> NT AUTHORITY\NETWORK
> NT AUTHORITY\Authenticated Users
>
>
> And this is what my machines in the Samba domain all look like
> (according to gpresult):
>
> The computer is a part of the following security groups:
> --------------------------------------------------------
> NULL SID
> NETWORK
> THIS ORGANISATION
> Untrusted Mandatory Level
>
> And that exact mismatch to what MS says a machine account should be
> and what all my Samba accounts are seems to be the issue from my PoV.
> The machine is neither part of "Everyone" nor of "Authenticated Users"
> security group, which it should - also see e.g.
> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759506(v=ws.10)?redirectedfrom=MSDN
>
Really no one knows something? Can someone with working Computer GPOs
please check the security group of his/her computer? So the main
question is: Are the (from my pov) wrong security groups for the machine
account the real issue?
Also: Why does the %COMPUTERNAME%$-Account show up in the correct
security groups, while gpresult shows the computer is not trusted. All
other things work (Authentication, Mounting shares, etc.) - just the GPO
shows these strange results and is not working.
Thanks!
Martin
> Cheers,
> Martin
>
>> Rowland
>>
>>
>>
>>
>
>
>
>
More information about the samba
mailing list