[Samba] User GPOs not applied

Peter Milesson miles at atmos.eu
Tue Apr 6 20:09:25 UTC 2021

Hi Louis,

I've been struggling with this, and I still don't know what's the matter.

About the error, it still isn't solved. Updating the GPO from the group 
policy tool still gives the error. I have tried all of your suggestions. 
A few domain PCs (HP workstations of almost the same age) displays 
successful updates, but most do not.

But I have got the offending PC to pick up the GPO. Sort of. If I assign 
both the PC and the specific user to the OU where the GPO is applied, it 
works. But the behavior is non standard. If there is any kind of 
inheritance, it fails. I will leave it as it is at the moment. I will 
try to setup a new AD DC with your packages.

Thank you to all who have contributed advice here.

Best regards,


On 2021-04-06 11:55, L.P.H. van Belle via samba wrote:
> Hai Peter,
> To save you some time.. a fresh version of samba is not going to help,
> Just, thats what i think.
> Unless your using very old samba versions, but i dont think that.
> Now, look at this one.
> http://jaredheinrichs.com/how-to-fix-8007071a-the-remote-procedure-call-was-cancelled.html  
> so, is WMI enabled in the windows firewalls?
> Or, better said, is Windows Defender set to "DomainNetworks"
> and is the Active domainnetwork, showing your primaryDNS domainname ?
> run on AD_DC/Members : hostname -d
> windows ipconfig/all will show it.
> if these are correct.. try this.
> disable IPV6 on windows 10.
> In the pc firewall add the lan range CIDR to be trusted.
> Reboot the PC 2 times ,after reboot 1, login as Administrator.
> just a login, and reboot again, then login as user.
> Now check it all again.
> I hope this gave you some ideas.
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson
>> via samba
>> Verzonden: dinsdag 6 april 2021 10:55
>> Aan:samba at lists.samba.org
>> Onderwerp: Re: [Samba] User GPOs not applied
>> Hi Louis,
>> As an example, I have got two PCs in the OU (named Shaky Computers). One
>> of the PCs is the one where the RSAT tools are installed and which I use
>> for administration of the domain. The other PC is the one where I most
>> want the applied GPO. Using the Group Policy Management tool, I mark the
>> OU, and issue a force an update on the OU. On the administration PC the
>> update succeeds, but on the other PC it doesn't (and it doesn't succeed
>> on any other PCs if I use another OU with most of the domain PCs). The
>> error code is 8007071a (The remote procedure call was cancelled).
>> I have tried to set GPOs on individual users, as well as user groups
>> like Authenticated Users (all users in the domain). The User GPOs are
>> not applied.
>> Only default domain policy is set on the PCs, no other GPOs set here.
>> If I run gpupdate /force from a cmd window, it reports "Computer Policy
>> update has completed successfully" and "User Policy update has completed
>> successfully".
> well, in that case, check if user "SYSTEM" has access..
>> Maybe it's better to wait until I have configured a fresh version of
>> Samba under Debian. I do not risk it during the working week, i put it
>> off until the weekend.
>> Thanks for your input.
>> Best regards,
>> Peter
>> On 2021-04-06 09:55, L.P.H. van Belle via samba wrote:
>>> On the PC, run CMD:
>>> GPRESULT /H c:\GPReport.html
>>> check that report.
>>> In which OU is the user created?
>>> ON which OU is the USER GPO set?
>>> ON which OU is the COMPUTER GPO set?
>>> Run a : gupdate /force
>>> Are there now any windows eventid's?
>>> These things are needed to know.
>>> greetz,
>>> Louis
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson
>>>> via samba
>>>> Verzonden: maandag 5 april 2021 17:28
>>>> Aan:samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] User GPOs not applied
>>>> Hi Stefan,
>>>> The GPOs do not apply for any user. If I create other OUs and link the
>>>> GPOs there, it's got absolutely no effect. Everything seems to be in
>>>> order using samba-tool, except that the GPOs do not show up for users.
>>>> The GPOs do not show up even if I apply them to Authenticated users.
>>>> Computer GPOs work, but not User GPOs.
>>>> Thanks for your input.
>>>> Best regards,
>>>> Peter
>>>> On 2021-04-05 14:06, Stefan Kania via samba wrote:
>>>>> The first step to do if a GPO for a user is not working is "samba-tool
>>>>> gpo list <username>" to see if the GPO is relevant for the user. If
>> your
>>>>> GPO is not listed check that the user is in the ou you linked the GPO
>>>> to.
>>>>> Am 05.04.21 um 09:04 schrieb Peter Milesson via samba:
>>>>>> Hi folks,
>>>>>> I have got a problem where GPOs set for a single user or a user group
>>>>>> are not applied. The GPOs should be applied to Windows 10 Pro
>> computers
>>>>>> when the specific user(s) log in. The GPOs are defined for users, not
>>>>>> computers. Domain GPOs for domain computers are applied
>> appropriately,
>>>>>> roaming profiles work, authentication works, the sysvol and netlogon
>>>>>> shares on the DC are accessible and readable by all users, DNS works.
>> I
>>>>>> have tried with existing users and newly created test users. The GPOs
>>>>>> are not applied. The GPOs (minimum Windows server 2003 or XP) are:
>>>>>> - Set time limit for disconnected sessions
>>>>>> - Set time limit for active but idle Remote Services sessions
>>>>>> - End session when time limits are reached
>>>>>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the
>>>> latest
>>>>>> EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS
>> or
>>>>>> NFS. The .local TLD is used in the network (for almost 20 years), and
>>>>>> all mDNS och zero configurations are prohibited and disabled. All
>>>>>> workstations in the network are Windows 10 Pro with the latest
>> updates,
>>>>>> and ESET Business antivirus. The main file server, containing the
>> user
>>>>>> profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got
>>>>>> nothing to do with the problem.
>>>>>> Would installing and setting up a new Debian Buster AD DC solve the
>>>>>> problem?
>>>>>> Best regards,
>>>>>> Peter
>>>>>> smb.conf
>>>>>> ========
>>>>>> # Global parameters
>>>>>> [global]
>>>>>>            netbios name = KONADC
>>>>>>            realm = KONSTRUKCE.LOCAL
>>>>>>            server role = active directory domain controller
>>>>>>            workgroup = KONSTRUKCE
>>>>>>            idmap_ldb:use rfc2307 = yes
>>>>>>            username map = /etc/samba/user.map
>>>>>>            dns forwarder =
>>>>>> [netlogon]
>>>>>>            path = /var/lib/samba/sysvol/konstrukce.local/scripts
>>>>>>            read only = No
>>>>>> [sysvol]
>>>>>>            path = /var/lib/samba/sysvol
>>>>>>            read only = No
>>>>>> krb5.conf
>>>>>> ========
>>>>>> [libdefaults]
>>>>>>            default_realm = KONSTRUKCE.LOCAL
>>>>>>            dns_lookup_realm = false
>>>>>>            dns_lookup_kdc = true
>>>>>> resolv.conf
>>>>>> =========
>>>>>> search konstrukce.local
>>>>>> nameserver
>>>>>> nsswitch.conf
>>>>>> ===========
>>>>>> passwd:      files winbind
>>>>>> shadow:     files
>>>>>> group:       files winbind
>>>>>> hosts:      files dns myhostname
>>>>>> bootparams: nisplus [NOTFOUND=return] files
>>>>>> ethers:     files
>>>>>> netmasks:   files
>>>>>> networks:   files
>>>>>> protocols:  files
>>>>>> rpc:        files
>>>>>> services:   files
>>>>>> netgroup:   nisplus
>>>>>> publickey:  nisplus
>>>>>> automount:  files nisplus
>>>>>> aliases:    files nisplus
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:https://lists.samba.org/mailman/options/samba

More information about the samba mailing list