[Samba] User GPOs not applied

Peter Milesson miles at atmos.eu
Tue Apr 6 08:55:20 UTC 2021

Hi Louis,

As an example, I have got two PCs in the OU (named Shaky Computers). One 
of the PCs is the one where the RSAT tools are installed and which I use 
for administration of the domain. The other PC is the one where I most 
want the applied GPO. Using the Group Policy Management tool, I mark the 
OU, and issue a force an update on the OU. On the administration PC the 
update succeeds, but on the other PC it doesn't (and it doesn't succeed 
on any other PCs if I use another OU with most of the domain PCs). The 
error code is 8007071a (The remote procedure call was cancelled).

I have tried to set GPOs on individual users, as well as user groups 
like Authenticated Users (all users in the domain). The User GPOs are 
not applied.
Only default domain policy is set on the PCs, no other GPOs set here.

If I run gpupdate /force from a cmd window, it reports "Computer Policy 
update has completed successfully" and "User Policy update has completed 

Maybe it's better to wait until I have configured a fresh version of 
Samba under Debian. I do not risk it during the working week, i put it 
off until the weekend.

Thanks for your input.

Best regards,


On 2021-04-06 09:55, L.P.H. van Belle via samba wrote:
> On the PC, run CMD:
> GPRESULT /H c:\GPReport.html
> check that report.
> In which OU is the user created?
> ON which OU is the USER GPO set?
> ON which OU is the COMPUTER GPO set?
> Run a : gupdate /force
> Are there now any windows eventid's?
> These things are needed to know.
> greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson
>> via samba
>> Verzonden: maandag 5 april 2021 17:28
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] User GPOs not applied
>> Hi Stefan,
>> The GPOs do not apply for any user. If I create other OUs and link the
>> GPOs there, it's got absolutely no effect. Everything seems to be in
>> order using samba-tool, except that the GPOs do not show up for users.
>> The GPOs do not show up even if I apply them to Authenticated users.
>> Computer GPOs work, but not User GPOs.
>> Thanks for your input.
>> Best regards,
>> Peter
>> On 2021-04-05 14:06, Stefan Kania via samba wrote:
>>> The first step to do if a GPO for a user is not working is "samba-tool
>>> gpo list <username>" to see if the GPO is relevant for the user. If your
>>> GPO is not listed check that the user is in the ou you linked the GPO
>> to.
>>> Am 05.04.21 um 09:04 schrieb Peter Milesson via samba:
>>>> Hi folks,
>>>> I have got a problem where GPOs set for a single user or a user group
>>>> are not applied. The GPOs should be applied to Windows 10 Pro computers
>>>> when the specific user(s) log in. The GPOs are defined for users, not
>>>> computers. Domain GPOs for domain computers are applied appropriately,
>>>> roaming profiles work, authentication works, the sysvol and netlogon
>>>> shares on the DC are accessible and readable by all users, DNS works. I
>>>> have tried with existing users and newly created test users. The GPOs
>>>> are not applied. The GPOs (minimum Windows server 2003 or XP) are:
>>>> - Set time limit for disconnected sessions
>>>> - Set time limit for active but idle Remote Services sessions
>>>> - End session when time limits are reached
>>>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the
>> latest
>>>> EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS or
>>>> NFS. The .local TLD is used in the network (for almost 20 years), and
>>>> all mDNS och zero configurations are prohibited and disabled. All
>>>> workstations in the network are Windows 10 Pro with the latest updates,
>>>> and ESET Business antivirus. The main file server, containing the user
>>>> profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got
>>>> nothing to do with the problem.
>>>> Would installing and setting up a new Debian Buster AD DC solve the
>>>> problem?
>>>> Best regards,
>>>> Peter
>>>> smb.conf
>>>> ========
>>>> # Global parameters
>>>> [global]
>>>>           netbios name = KONADC
>>>>           realm = KONSTRUKCE.LOCAL
>>>>           server role = active directory domain controller
>>>>           workgroup = KONSTRUKCE
>>>>           idmap_ldb:use rfc2307 = yes
>>>>           username map = /etc/samba/user.map
>>>>           dns forwarder =
>>>> [netlogon]
>>>>           path = /var/lib/samba/sysvol/konstrukce.local/scripts
>>>>           read only = No
>>>> [sysvol]
>>>>           path = /var/lib/samba/sysvol
>>>>           read only = No
>>>> krb5.conf
>>>> ========
>>>> [libdefaults]
>>>>           default_realm = KONSTRUKCE.LOCAL
>>>>           dns_lookup_realm = false
>>>>           dns_lookup_kdc = true
>>>> resolv.conf
>>>> =========
>>>> search konstrukce.local
>>>> nameserver
>>>> nsswitch.conf
>>>> ===========
>>>> passwd:      files winbind
>>>> shadow:     files
>>>> group:       files winbind
>>>> hosts:      files dns myhostname
>>>> bootparams: nisplus [NOTFOUND=return] files
>>>> ethers:     files
>>>> netmasks:   files
>>>> networks:   files
>>>> protocols:  files
>>>> rpc:        files
>>>> services:   files
>>>> netgroup:   nisplus
>>>> publickey:  nisplus
>>>> automount:  files nisplus
>>>> aliases:    files nisplus
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list