The first step to do if a GPO for a user is not working is "samba-tool gpo list <username>" to see if the GPO is relevant for the user. If your GPO is not listed check that the user is in the ou you linked the GPO to. Am 05.04.21 um 09:04 schrieb Peter Milesson via samba:> Hi folks, > > I have got a problem where GPOs set for a single user or a user group > are not applied. The GPOs should be applied to Windows 10 Pro computers > when the specific user(s) log in. The GPOs are defined for users, not > computers. Domain GPOs for domain computers are applied appropriately, > roaming profiles work, authentication works, the sysvol and netlogon > shares on the DC are accessible and readable by all users, DNS works. I > have tried with existing users and newly created test users. The GPOs > are not applied. The GPOs (minimum Windows server 2003 or XP) are: > > - Set time limit for disconnected sessions > - Set time limit for active but idle Remote Services sessions > - End session when time limits are reached > > The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the latest > EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS or > NFS. The .local TLD is used in the network (for almost 20 years), and > all mDNS och zero configurations are prohibited and disabled. All > workstations in the network are Windows 10 Pro with the latest updates, > and ESET Business antivirus. The main file server, containing the user > profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got > nothing to do with the problem. > > Would installing and setting up a new Debian Buster AD DC solve the > problem? > > Best regards, > > Peter > > > smb.conf > =======> # Global parameters > [global] > ??????? netbios name = KONADC > ??????? realm = KONSTRUKCE.LOCAL > ??????? server role = active directory domain controller > ??????? workgroup = KONSTRUKCE > ??????? idmap_ldb:use rfc2307 = yes > ??????? username map = /etc/samba/user.map > ??????? dns forwarder = 192.168.0.221 > > [netlogon] > ??????? path = /var/lib/samba/sysvol/konstrukce.local/scripts > ??????? read only = No > > [sysvol] > ??????? path = /var/lib/samba/sysvol > ??????? read only = No > > > krb5.conf > =======> [libdefaults] > ??????? default_realm = KONSTRUKCE.LOCAL > ??????? dns_lookup_realm = false > ??????? dns_lookup_kdc = true > > resolv.conf > ========> search konstrukce.local > nameserver 127.0.0.1 > > nsswitch.conf > ==========> passwd:????? files winbind > shadow:???? files > group:?????? files winbind > > hosts:????? files dns myhostname > > bootparams: nisplus [NOTFOUND=return] files > > ethers:???? files > netmasks:?? files > networks:?? files > protocols:? files > rpc:??????? files > services:?? files > netgroup:?? nisplus > publickey:? nisplus > automount:? files nisplus > aliases:??? files nisplus > >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html
Hi Stefan, The GPOs do not apply for any user. If I create other OUs and link the GPOs there, it's got absolutely no effect. Everything seems to be in order using samba-tool, except that the GPOs do not show up for users. The GPOs do not show up even if I apply them to Authenticated users. Computer GPOs work, but not User GPOs. Thanks for your input. Best regards, Peter On 2021-04-05 14:06, Stefan Kania via samba wrote:> The first step to do if a GPO for a user is not working is "samba-tool > gpo list <username>" to see if the GPO is relevant for the user. If your > GPO is not listed check that the user is in the ou you linked the GPO to. > > > Am 05.04.21 um 09:04 schrieb Peter Milesson via samba: >> Hi folks, >> >> I have got a problem where GPOs set for a single user or a user group >> are not applied. The GPOs should be applied to Windows 10 Pro computers >> when the specific user(s) log in. The GPOs are defined for users, not >> computers. Domain GPOs for domain computers are applied appropriately, >> roaming profiles work, authentication works, the sysvol and netlogon >> shares on the DC are accessible and readable by all users, DNS works. I >> have tried with existing users and newly created test users. The GPOs >> are not applied. The GPOs (minimum Windows server 2003 or XP) are: >> >> - Set time limit for disconnected sessions >> - Set time limit for active but idle Remote Services sessions >> - End session when time limits are reached >> >> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the latest >> EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS or >> NFS. The .local TLD is used in the network (for almost 20 years), and >> all mDNS och zero configurations are prohibited and disabled. All >> workstations in the network are Windows 10 Pro with the latest updates, >> and ESET Business antivirus. The main file server, containing the user >> profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got >> nothing to do with the problem. >> >> Would installing and setting up a new Debian Buster AD DC solve the >> problem? >> >> Best regards, >> >> Peter >> >> >> smb.conf >> =======>> # Global parameters >> [global] >> ??????? netbios name = KONADC >> ??????? realm = KONSTRUKCE.LOCAL >> ??????? server role = active directory domain controller >> ??????? workgroup = KONSTRUKCE >> ??????? idmap_ldb:use rfc2307 = yes >> ??????? username map = /etc/samba/user.map >> ??????? dns forwarder = 192.168.0.221 >> >> [netlogon] >> ??????? path = /var/lib/samba/sysvol/konstrukce.local/scripts >> ??????? read only = No >> >> [sysvol] >> ??????? path = /var/lib/samba/sysvol >> ??????? read only = No >> >> >> krb5.conf >> =======>> [libdefaults] >> ??????? default_realm = KONSTRUKCE.LOCAL >> ??????? dns_lookup_realm = false >> ??????? dns_lookup_kdc = true >> >> resolv.conf >> ========>> search konstrukce.local >> nameserver 127.0.0.1 >> >> nsswitch.conf >> ==========>> passwd:????? files winbind >> shadow:???? files >> group:?????? files winbind >> >> hosts:????? files dns myhostname >> >> bootparams: nisplus [NOTFOUND=return] files >> >> ethers:???? files >> netmasks:?? files >> networks:?? files >> protocols:? files >> rpc:??????? files >> services:?? files >> netgroup:?? nisplus >> publickey:? nisplus >> automount:? files nisplus >> aliases:??? files nisplus >> >> >
On the PC, run CMD: GPRESULT /H c:\GPReport.html check that report. In which OU is the user created? ON which OU is the USER GPO set? ON which OU is the COMPUTER GPO set? Run a : gupdate /force Are there now any windows eventid's? These things are needed to know. greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson > via samba > Verzonden: maandag 5 april 2021 17:28 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] User GPOs not applied > > Hi Stefan, > > The GPOs do not apply for any user. If I create other OUs and link the > GPOs there, it's got absolutely no effect. Everything seems to be in > order using samba-tool, except that the GPOs do not show up for users. > The GPOs do not show up even if I apply them to Authenticated users. > Computer GPOs work, but not User GPOs. > > Thanks for your input. > > Best regards, > > Peter > > On 2021-04-05 14:06, Stefan Kania via samba wrote: > > The first step to do if a GPO for a user is not working is "samba-tool > > gpo list <username>" to see if the GPO is relevant for the user. If your > > GPO is not listed check that the user is in the ou you linked the GPO > to. > > > > > > Am 05.04.21 um 09:04 schrieb Peter Milesson via samba: > >> Hi folks, > >> > >> I have got a problem where GPOs set for a single user or a user group > >> are not applied. The GPOs should be applied to Windows 10 Pro computers > >> when the specific user(s) log in. The GPOs are defined for users, not > >> computers. Domain GPOs for domain computers are applied appropriately, > >> roaming profiles work, authentication works, the sysvol and netlogon > >> shares on the DC are accessible and readable by all users, DNS works. I > >> have tried with existing users and newly created test users. The GPOs > >> are not applied. The GPOs (minimum Windows server 2003 or XP) are: > >> > >> - Set time limit for disconnected sessions > >> - Set time limit for active but idle Remote Services sessions > >> - End session when time limits are reached > >> > >> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the > latest > >> EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS or > >> NFS. The .local TLD is used in the network (for almost 20 years), and > >> all mDNS och zero configurations are prohibited and disabled. All > >> workstations in the network are Windows 10 Pro with the latest updates, > >> and ESET Business antivirus. The main file server, containing the user > >> profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got > >> nothing to do with the problem. > >> > >> Would installing and setting up a new Debian Buster AD DC solve the > >> problem? > >> > >> Best regards, > >> > >> Peter > >> > >> > >> smb.conf > >> =======> >> # Global parameters > >> [global] > >> ??????? netbios name = KONADC > >> ??????? realm = KONSTRUKCE.LOCAL > >> ??????? server role = active directory domain controller > >> ??????? workgroup = KONSTRUKCE > >> ??????? idmap_ldb:use rfc2307 = yes > >> ??????? username map = /etc/samba/user.map > >> ??????? dns forwarder = 192.168.0.221 > >> > >> [netlogon] > >> ??????? path = /var/lib/samba/sysvol/konstrukce.local/scripts > >> ??????? read only = No > >> > >> [sysvol] > >> ??????? path = /var/lib/samba/sysvol > >> ??????? read only = No > >> > >> > >> krb5.conf > >> =======> >> [libdefaults] > >> ??????? default_realm = KONSTRUKCE.LOCAL > >> ??????? dns_lookup_realm = false > >> ??????? dns_lookup_kdc = true > >> > >> resolv.conf > >> ========> >> search konstrukce.local > >> nameserver 127.0.0.1 > >> > >> nsswitch.conf > >> ==========> >> passwd:????? files winbind > >> shadow:???? files > >> group:?????? files winbind > >> > >> hosts:????? files dns myhostname > >> > >> bootparams: nisplus [NOTFOUND=return] files > >> > >> ethers:???? files > >> netmasks:?? files > >> networks:?? files > >> protocols:? files > >> rpc:??????? files > >> services:?? files > >> netgroup:?? nisplus > >> publickey:? nisplus > >> automount:? files nisplus > >> aliases:??? files nisplus > >> > >> > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba