[Samba] GPO not getting updated on Windows 10

Anantha Raghava H A raghav at exzatech.net
Mon Aug 14 02:13:51 UTC 2023


Thanks for the pointer.

Actually, we had delinked the OU and blocked the policy inheritance for 
the policy. However, we noticed that we even had to delink the domain 
member PCs for the policy change to take effect. For testing, we created 
new OU - "CleanOU" and a new policy - "NoGPO". We did not define any 
policy and even blocked the default policy inheritance and linked it to 
"CleanOU". When we moved the user into this new OU and logged in, the 
expectation was that no Policies should get applied. However, it is 
observed that default policies were getting applied and that too more 
than once. We observed that since the domain member PC was a member of 
different OU and the default system-level policies were getting applied 
despite moving the user into new OU with No GPO. When we delinked the 
domain member PC from the default policies, everything started working 

Thanks & Regards,

Anantha Raghava H A

This e-mail communication and any attachments may be privileged and 
confidential to Exzatech Consulting And Services Pvt. Ltd., Bangalore, 
and are intended only for the use of the recipients named above If you 
are not the addressee you may not copy, forward, disclose or use any 
part of it. If you have received this message in error, please delete it 
and all copies from your system and notify the sender immediately by 
return e-mail. Internet communications cannot be guaranteed to be 
timely, secure, error or virus-free. The sender does not accept 
liability for any errors or omissions.

Do not print this e-mail unless required. Save Paper & trees.

On 11/08/23 7:00 pm, David Mulder via samba wrote:
> On 8/10/23 8:48 PM, Anantha Raghava H A via samba wrote:
>> Hi,
>> Our Domain controller environment is working for over 6 years without 
>> a break. It started with Samba Version 4.6.5 and today running 
>> 4.18.5. We have only Windows 10 clients across our organisation.
>> Off late, we have observed that GPOs are not getting updated when we 
>> change some GPOs and link them to some specific OUs. For example, 
>> previously, we had not allowed one specific network path to one 
>> particular OU and we controlled it through GPO due to organisation 
>> decisions, we had to allow the network path to this OU as well and 
>> hence the GPO was modified.
>> Despite running gpupdate / force several times, it is observed that 
>> the changed GPO is not getting applied and the network path is still 
>> being blocked. We even checked by delinking all GPO for this 
>> particular OU and the same old GPOs are getting reapplied.
>> Initially, we thought, there could be a problem in gpupdate /force 
>> may not be working properly and did checks using commands like "sfc 
>> /scannow" and the result is everything was fine on the PCs. But 
>> gpupdate /force continues to apply old policies.
>> We even checked sysvol with samba-tool and everything seems to be 
>> fine there as well.
>> We are now unable to figure out where the problem could be. Samba 
>> side or Windows client side? Or is it a GPO linking problem?
>> PS: We are using Windows Server 2019 for RSAT and to Edit GPO.
> I wonder if perhaps you have a DC which isn't replicating the SYSVOL 
> properly? Also, make sure the Version number is getting updated on the 
> GPO on the SYSVOL in the GPT.INI file when you modify a policy.

More information about the samba mailing list