samba - Aug 2016 - Unable to create GPO "Allow log on locally"

Hi,

I've a Samba 4.4.5 AD DC working fine.
But when I try to create a GPO on "Computer Configuration>Policies>
Windows Settings>Security Settings>Local Policies>User Rights
Assignment>Allow Logon Locally" I can add Administrators, Domain Admin
to the listbox but I'm unable to apply.

When I click "Ok" or "Apply" the dialog won't close.

I tested this on a real Win2008R2 Server and it works here without problems.

Any ideas how to get out there? There aare no logs (neiter on
Samba-Server nor on the Windows RSAT client).



Thanks in advance


--

On 8/4/2016 10:11 AM, nanocosm at gmail.com wrote:
> Hi,
>
> I've a Samba 4.4.5 AD DC working fine.
> But when I try to create a GPO on "Computer
Configuration>Policies>
> Windows Settings>Security Settings>Local Policies>User Rights
> Assignment>Allow Logon Locally" I can add Administrators, Domain
Admin
> to the listbox but I'm unable to apply.
>
> When I click "Ok" or "Apply" the dialog won't
close.
>
> I tested this on a real Win2008R2 Server and it works here without
problems.
>
> Any ideas how to get out there? There aare no logs (neiter on
> Samba-Server nor on the Windows RSAT client).
>
>
>
> Thanks in advance
>
>
I created this policy twice. Once in the default 'Group Policy Objects' 
container and one as a 'create a GPO in this domain, and link it 
here...'. Both worked with the same user and groups you specified. This 
is on a Windows 7 device using RSAT. Not sure what your issue is, but it 
does seem to work.

-- 
-James

Am 04.08.2016 um 17:11 schrieb lingpanda101 at
gmail.com:
> On 8/4/2016 10:11 AM, nanocosm at gmail.com wrote:
>> Hi,
>>
>> I've a Samba 4.4.5 AD DC working fine.
>> But when I try to create a GPO on "Computer
Configuration>Policies>
>> Windows Settings>Security Settings>Local Policies>User Rights
>> Assignment>Allow Logon Locally" I can add Administrators,
Domain Admin
>> to the listbox but I'm unable to apply.
>>
>> When I click "Ok" or "Apply" the dialog won't
close.
>>
>> I tested this on a real Win2008R2 Server and it works here without
>> problems.
>>
>> Any ideas how to get out there? There aare no logs (neiter on
>> Samba-Server nor on the Windows RSAT client).
>>
>>
>>
>> Thanks in advance
>>
>>
> 
> I created this policy twice. Once in the default 'Group Policy
Objects'
> container and one as a 'create a GPO in this domain, and link it
> here...'. Both worked with the same user and groups you specified. This
> is on a Windows 7 device using RSAT. Not sure what your issue is, but it
> does seem to work.
> 

Hmmm, perhaps it's Windows10 and the RSAT Tools for Windows10 ?
Since it's impossible to install the RSAT Tools for Windows7 on
Windows10 I'll try the Win7 RSAT Tools on Win7 Client and report back.

Am 04.08.2016 um 17:11 schrieb lingpanda101 at
gmail.com:
> On 8/4/2016 10:11 AM, nanocosm at gmail.com wrote:
>> Hi,
>>
>> I've a Samba 4.4.5 AD DC working fine.
>> But when I try to create a GPO on "Computer
Configuration>Policies>
>> Windows Settings>Security Settings>Local Policies>User Rights
>> Assignment>Allow Logon Locally" I can add Administrators,
Domain Admin
>> to the listbox but I'm unable to apply.
>>
>> When I click "Ok" or "Apply" the dialog won't
close.
>>
>> I tested this on a real Win2008R2 Server and it works here without
>> problems.
>>
>> Any ideas how to get out there? There aare no logs (neiter on
>> Samba-Server nor on the Windows RSAT client).
>>
>>
>>
>> Thanks in advance
>>
>>
> 
> I created this policy twice. Once in the default 'Group Policy
Objects'
> container and one as a 'create a GPO in this domain, and link it
> here...'. Both worked with the same user and groups you specified. This
> is on a Windows 7 device using RSAT. Not sure what your issue is, but it
> does seem to work.
> 
Interestingly it seems to be related to a german Windows10/RSAT and the
translation of "Administratoren"(EN:Administrators) built-in groups
into
the SID '*S-1-5-32-544'

I've digged into GPO manually and edited the 'GptTmpl.inf' file.
When I
add all the groups manually it works and will be shown afterwards in the
gpedit.msc.

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeInteractiveLogonRight
*S-1-5-32-544,*S-1-5-21-2350650622-768076714-1495782470-512,*S-1-5-21-2350650622-768076714-1495782470-500,Administrators,*S-1-5-21-2350650622-768076714-1495782470-1115


Using Winows7/RSAT Tools for Win7 doesn't worked, probably because it
was also in german. Next thing I want to try is using an englisch
version of Win10/RSAT tools.
I'll report back...


--