[Samba] User GPOs not applied

L.P.H. van Belle belle at bazuin.nl
Tue Apr 6 09:55:41 UTC 2021 

Hai Peter, 

To save you some time.. a fresh version of samba is not going to help,
Just, thats what i think. 
Unless your using very old samba versions, but i dont think that. 

Now, look at this one. 
http://jaredheinrichs.com/how-to-fix-8007071a-the-remote-procedure-call-was-cancelled.html 

so, is WMI enabled in the windows firewalls? 
Or, better said, is Windows Defender set to "DomainNetworks" 
and is the Active domainnetwork, showing your primaryDNS domainname ? 
run on AD_DC/Members : hostname -d 
windows ipconfig/all will show it. 

if these are correct.. try this. 
disable IPV6 on windows 10. 
In the pc firewall add the lan range CIDR to be trusted. 
Reboot the PC 2 times ,after reboot 1, login as Administrator. 
just a login, and reboot again, then login as user.

Now check it all again.

I hope this gave you some ideas. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson
> via samba
> Verzonden: dinsdag 6 april 2021 10:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] User GPOs not applied
> 
> Hi Louis,
> 
> As an example, I have got two PCs in the OU (named Shaky Computers). One
> of the PCs is the one where the RSAT tools are installed and which I use
> for administration of the domain. The other PC is the one where I most
> want the applied GPO. Using the Group Policy Management tool, I mark the
> OU, and issue a force an update on the OU. On the administration PC the
> update succeeds, but on the other PC it doesn't (and it doesn't succeed
> on any other PCs if I use another OU with most of the domain PCs). The
> error code is 8007071a (The remote procedure call was cancelled).
> 
> I have tried to set GPOs on individual users, as well as user groups
> like Authenticated Users (all users in the domain). The User GPOs are
> not applied.
> Only default domain policy is set on the PCs, no other GPOs set here.
> 
> If I run gpupdate /force from a cmd window, it reports "Computer Policy
> update has completed successfully" and "User Policy update has completed
> successfully".

well, in that case, check if user "SYSTEM" has access.. 

> 
> Maybe it's better to wait until I have configured a fresh version of
> Samba under Debian. I do not risk it during the working week, i put it
> off until the weekend.
> 
> Thanks for your input.
> 
> Best regards,
> 
> Peter
> 
> On 2021-04-06 09:55, L.P.H. van Belle via samba wrote:
> > On the PC, run CMD:
> >
> > GPRESULT /H c:\GPReport.html
> > check that report.
> >
> > In which OU is the user created?
> >
> > ON which OU is the USER GPO set?
> > ON which OU is the COMPUTER GPO set?
> >
> > Run a : gupdate /force
> > Are there now any windows eventid's?
> >
> > These things are needed to know.
> >
> > greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson
> >> via samba
> >> Verzonden: maandag 5 april 2021 17:28
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] User GPOs not applied
> >>
> >> Hi Stefan,
> >>
> >> The GPOs do not apply for any user. If I create other OUs and link the
> >> GPOs there, it's got absolutely no effect. Everything seems to be in
> >> order using samba-tool, except that the GPOs do not show up for users.
> >> The GPOs do not show up even if I apply them to Authenticated users.
> >> Computer GPOs work, but not User GPOs.
> >>
> >> Thanks for your input.
> >>
> >> Best regards,
> >>
> >> Peter
> >>
> >> On 2021-04-05 14:06, Stefan Kania via samba wrote:
> >>> The first step to do if a GPO for a user is not working is "samba-tool
> >>> gpo list <username>" to see if the GPO is relevant for the user. If
> your
> >>> GPO is not listed check that the user is in the ou you linked the GPO
> >> to.
> >>>
> >>> Am 05.04.21 um 09:04 schrieb Peter Milesson via samba:
> >>>> Hi folks,
> >>>>
> >>>> I have got a problem where GPOs set for a single user or a user group
> >>>> are not applied. The GPOs should be applied to Windows 10 Pro
> computers
> >>>> when the specific user(s) log in. The GPOs are defined for users, not
> >>>> computers. Domain GPOs for domain computers are applied
> appropriately,
> >>>> roaming profiles work, authentication works, the sysvol and netlogon
> >>>> shares on the DC are accessible and readable by all users, DNS works.
> I
> >>>> have tried with existing users and newly created test users. The GPOs
> >>>> are not applied. The GPOs (minimum Windows server 2003 or XP) are:
> >>>>
> >>>> - Set time limit for disconnected sessions
> >>>> - Set time limit for active but idle Remote Services sessions
> >>>> - End session when time limits are reached
> >>>>
> >>>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the
> >> latest
> >>>> EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS
> or
> >>>> NFS. The .local TLD is used in the network (for almost 20 years), and
> >>>> all mDNS och zero configurations are prohibited and disabled. All
> >>>> workstations in the network are Windows 10 Pro with the latest
> updates,
> >>>> and ESET Business antivirus. The main file server, containing the
> user
> >>>> profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got
> >>>> nothing to do with the problem.
> >>>>
> >>>> Would installing and setting up a new Debian Buster AD DC solve the
> >>>> problem?
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Peter
> >>>>
> >>>>
> >>>> smb.conf
> >>>> ========
> >>>> # Global parameters
> >>>> [global]
> >>>>           netbios name = KONADC
> >>>>           realm = KONSTRUKCE.LOCAL
> >>>>           server role = active directory domain controller
> >>>>           workgroup = KONSTRUKCE
> >>>>           idmap_ldb:use rfc2307 = yes
> >>>>           username map = /etc/samba/user.map
> >>>>           dns forwarder = 192.168.0.221
> >>>>
> >>>> [netlogon]
> >>>>           path = /var/lib/samba/sysvol/konstrukce.local/scripts
> >>>>           read only = No
> >>>>
> >>>> [sysvol]
> >>>>           path = /var/lib/samba/sysvol
> >>>>           read only = No
> >>>>
> >>>>
> >>>> krb5.conf
> >>>> ========
> >>>> [libdefaults]
> >>>>           default_realm = KONSTRUKCE.LOCAL
> >>>>           dns_lookup_realm = false
> >>>>           dns_lookup_kdc = true
> >>>>
> >>>> resolv.conf
> >>>> =========
> >>>> search konstrukce.local
> >>>> nameserver 127.0.0.1
> >>>>
> >>>> nsswitch.conf
> >>>> ===========
> >>>> passwd:      files winbind
> >>>> shadow:     files
> >>>> group:       files winbind
> >>>>
> >>>> hosts:      files dns myhostname
> >>>>
> >>>> bootparams: nisplus [NOTFOUND=return] files
> >>>>
> >>>> ethers:     files
> >>>> netmasks:   files
> >>>> networks:   files
> >>>> protocols:  files
> >>>> rpc:        files
> >>>> services:   files
> >>>> netgroup:   nisplus
> >>>> publickey:  nisplus
> >>>> automount:  files nisplus
> >>>> aliases:    files nisplus
> >>>>
> >>>>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list