Group Policy Ordering

[David Mulder]

On 12/13/23 5:20 PM, Joe Dillon via samba-technical wrote:
> Suppose I link a policy called "Test Policy 1".  When samba-gpupdate runs, this policy will be in changed_gpo_list.  Suppose it sets the contents of /etc/test.txt to "testpolicy1".  The second time samba-gpupdate runs, it will not be in changed_gpo_list, and the CSE won't rewrite the file.  So far so good.  Now, I toggle "Test Policy 1" to enforced.  Rerunning samba-gpupdate does not process the policy.  Again, so far so good.  Suppose I link "Test Policy 2", unenforced.  Let's say the CSE for "Test Policy 2" would set the content of /etc/test.txt to "testpolicy2".  I would expect, since "Test Policy 1" has a higher priority, the contents of /etc/test.txt after a samba-gpupdate to be "testpolicy1".  When I run samba-gpupdate,  only "Test Policy 2" is processed, since it is the only one that changed.  "--force" obviously corrects the issue.
>
> Is this intended behaviour or a bug?
This behavior changed significantly in recent versions of Samba. Which 
version are you referring to? Also, policy enforcement is handled 
per-extension, so you may see different behavior for each extension. 
 From your description, I would expect that there may be a bug in 
processing the changed_gpo_list?
> Second question: is it valid for GPOs based on .pol files to not write the registry entries to the local registry?  The above behaviour could be avoided if every gpupdate wrote all changes from all applicable GPOs to the registry and deferred processing to the end.
This was in the works 4 years ago, but was never completed. The current 
approach is for each extension to write their overlapping changes to a 
tdb file, and apply the appropriate policy from there.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com