On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote: >> Hello, >> >> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT >> Kerberos (clean, not upgraded). I just wan to create/activating a >> simple GPOs. >> >> # Interactive logon: Do not require CTRL + ALT + DEL -> activate >> >> # Interactive login: Do not displa last user name -> activate > > > These look like machine level GPO. See the output of > > gpresult /v > > Mine say that machine based GPOs are not applied because of "Denied > (Security)" and the GPO is the default one (This is a test domain) > where the filter is for "Authenticated Users" and that include machine > accounts. > > Running Samba Version 4.7.4. > > More details of the same problem (not solved) at this mailing list > post https://lists.samba.org/archive/samba/2018-January/213333.html > >> >> When im activating this Policys (no errors or something like that) >> nothing happend. >> >> I reboot two Domain Members (Windows 7). Still showing last username >> and CTRL + ALT + DEL. Also typed "gpudate /force", didn't help. Also >> rejoined the clients. >> >> I configured the SYSVOL replication with this guide: >> >> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround >> >> >> Tell me what information you need if isn't enough. >> >> I hope you can help! >> >> Thanks >> >> Micha >> >> >> > >I don't recommend modifying the default domain or default domain controllers policy. Create separate ones and apply to either site or OU. -- -- James
On 02/06/2018 02:52 PM, lingpanda101 via samba wrote:> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote: >> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote: >>> Hello, >>> >>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT >>> Kerberos (clean, not upgraded). I just wan to create/activating a >>> simple GPOs. >>> >>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate >>> >>> # Interactive login: Do not displa last user name -> activate >> >> >> These look like machine level GPO. See the output of >> >> gpresult /v >> >> Mine say that machine based GPOs are not applied because of "Denied >> (Security)" and the GPO is the default one (This is a test domain) >> where the filter is for "Authenticated Users" and that include machine >> accounts. >> >> Running Samba Version 4.7.4. >> >> More details of the same problem (not solved) at this mailing list >> post https://lists.samba.org/archive/samba/2018-January/213333.html >> >>> >>> When im activating this Policys (no errors or something like that) >>> nothing happend. >>> >>> I reboot two Domain Members (Windows 7). Still showing last username >>> and CTRL + ALT + DEL. Also typed "gpudate /force", didn't help. Also >>> rejoined the clients. >>> >>> I configured the SYSVOL replication with this guide: >>> >>> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround >>> >>> >>> Tell me what information you need if isn't enough. >>> >>> I hope you can help! >>> >>> Thanks >>> >>> Micha >>> >>> >>> >> >> > I don't recommend modifying the default domain or default domain > controllers policy. Create separate ones and apply to either site or OU. >Thanks for the information, to use a default GPO was a simple way to try to encourage someone to reproduce the problem. I already created new GPOs (this is a test domain) Using the default filter for a new GPO, "Authenticated users", creating a new group for the test clients and using that as the filter, checking it have the right permissions (apply), checking every guide about applying GPO to computers. Using OUs and using domain level GPOs. What I find weird is that gpresult doesn't list the computer as a member of groups I create, only a few predefined ones: NULL SID NT AUTHORITY\NETWORK, This company, and something like "mandatory level of no trust" (Windows is not in english)
On Tue, 6 Feb 2018 15:03:16 -0400 Robert Marcano via samba <samba at lists.samba.org> wrote:> Thanks for the information, to use a default GPO was a simple way to > try to encourage someone to reproduce the problem. > > I already created new GPOs (this is a test domain) Using the default > filter for a new GPO, "Authenticated users", creating a new group for > the test clients and using that as the filter, checking it have the > right permissions (apply), checking every guide about applying GPO to > computers. Using OUs and using domain level GPOs. > > What I find weird is that gpresult doesn't list the computer as a > member of groups I create, only a few predefined ones: > > NULL SID > NT AUTHORITY\NETWORK, > This company, > and something like "mandatory level of no trust" (Windows is not in > english) >Do not alter the two default GPOs, it doesn't work ;-) Creating new GPOs should work, just do not run sysvolreset after creating them. Rowland
On 2/6/2018 2:03 PM, Robert Marcano via samba wrote:> On 02/06/2018 02:52 PM, lingpanda101 via samba wrote: >> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote: >>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote: >>>> Hello, >>>> >>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT >>>> Kerberos (clean, not upgraded). I just wan to create/activating a >>>> simple GPOs. >>>> >>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate >>>> >>>> # Interactive login: Do not displa last user name -> activate >>> >>> >>> These look like machine level GPO. See the output of >>> >>> gpresult /v >>> >>> Mine say that machine based GPOs are not applied because of "Denied >>> (Security)" and the GPO is the default one (This is a test domain) >>> where the filter is for "Authenticated Users" and that include >>> machine accounts. >>> >>> Running Samba Version 4.7.4. >>> >>> More details of the same problem (not solved) at this mailing list >>> post https://lists.samba.org/archive/samba/2018-January/213333.html >>> >>>> >>>> When im activating this Policys (no errors or something like that) >>>> nothing happend. >>>> >>>> I reboot two Domain Members (Windows 7). Still showing last >>>> username and CTRL + ALT + DEL. Also typed "gpudate /force", didn't >>>> help. Also rejoined the clients. >>>> >>>> I configured the SYSVOL replication with this guide: >>>> >>>> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround >>>> >>>> >>>> Tell me what information you need if isn't enough. >>>> >>>> I hope you can help! >>>> >>>> Thanks >>>> >>>> Micha >>>> >>>> >>>> >>> >>> >> I don't recommend modifying the default domain or default domain >> controllers policy. Create separate ones and apply to either site or OU. >> > Thanks for the information, to use a default GPO was a simple way to > try to encourage someone to reproduce the problem. > > I already created new GPOs (this is a test domain) Using the default > filter for a new GPO, "Authenticated users", creating a new group for > the test clients and using that as the filter, checking it have the > right permissions (apply), checking every guide about applying GPO to > computers. Using OUs and using domain level GPOs. > > What I find weird is that gpresult doesn't list the computer as a > member of groups I create, only a few predefined ones: > > NULL SID > NT AUTHORITY\NETWORK, > This company, > and something like "mandatory level of no trust" (Windows is not in > english) > > >I think I understand a bit more. You are attempting to modify the Security Filtering from Authenticated Users to a manually created group?>From my testing this for some reason does not work. At least for me.GPO's will not apply. That doesn't mean I'm not able to apply machine account GPO's though. Am I correct? -- -- James
Thanks for help,
this is a new domain controller without any modifcations, except one
GPO. I have the "Default Domain Policy" and created an addtional GPO,
named "test_something". Both are linked at the top of the domain. I
configured at the "test_something" GPO:
# Interactive logon: Do not require CTRL + ALT + DEL -> activate
# Interactive login: Do not displa last user name -> activate
Security Filter, by default:
* Authenticated Users
Delegation Tab, also by default:
* Authenticated Users
* Domain Admins
* Enterprise Admins
* ServerLogon
* SYSTEM
gpresult /v shows:
############################
Betriebssystem Microsoft (R) Windows (R) Gruppenrichtlinienergebnis-Tool
v2.0
Copyright (C) Microsoft Corp. 1981-2001
Am 06.02.2018, um 20:01:46 erstellt
RSOP-Daten fr ROOTRUDI\<User> auf CLIENTWIN701: Protokollmodus
---------------------------------------------------------------
Betriebssystemkonfiguration: Mitglied der Dom„ne/Arbeitsgruppe
Betriebssystemversion: 6.1.7601
Standortname: Nicht zutreffend
Zwischengespeichertes Profil:Nicht zutreffend
Lokales Profil: C:\Users\<User>
Langsame Verbindung? Nein
BENUTZEREINSTELLUNGEN
----------------------
CN=Bj”rn <User>,CN=Users,DC=rootrudi,DC=de
Letzte Gruppenrichtlinienanwendung: 06.02.2018, um 20:01:12
Gruppenrichtlinieanwendung von: dc2.rootrudi.de
Schwellenwert fr langsame Verbindung:500 kbps
Dom„nenname: ROOTRUDI
Dom„nentyp: Windows 2000
*Angewendete Gruppenrichtlinienobjekte**
** --------------------------------------**
** Default Domain Policy**
** test_something*
Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet.
----------------------------------------------------------------------
Richtlinien der lokalen Gruppe
Filterung: Nicht angewendet (Leer)
Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
----------------------------------------------------------
Domain Users
Jeder
Benutzer
INTERAKTIV
KONSOLENANMELDUNG
Authentifizierte Benutzer
Diese Organisation
LOKAL
mitarbeiter
rzm
Mittlere Verbindlichkeitsstufe
Der Benutzer verfgt ber folgende Berechtigungen
-------------------------------------------------
Richtlinienergebnissatz fr Benutzer
-------------------------------------
Softwareinstallationen
----------------------
Nicht zutreffend
Anmeldeskripts
--------------
Nicht zutreffend
Abmeldeskripts
--------------
Nicht zutreffend
Richtlinien ”ffentlicher Schlssel
----------------------------------
Nicht zutreffend
Administrative Vorlagen
-----------------------
Nicht zutreffend
Ordnerumleitung
---------------
Nicht zutreffend
Internet Explorer-Browserbenutzerschnittstelle
----------------------------------------------
Nicht zutreffend
Internet Explorer-Verbindung
----------------------------
Nicht zutreffend
Internet Explorer-URLs
----------------------
Nicht zutreffend
Internet Explorer-Sicherheit
----------------------------
Nicht zutreffend
Internet Explorer-Programme
---------------------------
Nicht zutreffend
############################
You see*test_something *was loaded corrctly, but the options i set up are not
working.
"gpresult /H GPReport.html" shows the same.
https://www.uni-landau.de/MichaB/gpresult.html
Thy for help!
Micha
# Interactive login: Do not displa last user name -> activate
Am 06.02.2018 um 19:52 schrieb lingpanda101 via samba:> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
>>> Hello,
>>>
>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT
>>> Kerberos (clean, not upgraded). I just wan to create/activating a
>>> simple GPOs.
>>>
>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate
>>>
>>> # Interactive login: Do not displa last user name -> activate
>>
>>
>> These look like machine level GPO. See the output of
>>
>> gpresult /v
>>
>> Mine say that machine based GPOs are not applied because of
"Denied
>> (Security)" and the GPO is the default one (This is a test domain)
>> where the filter is for "Authenticated Users" and that
include
>> machine accounts.
>>
>> Running Samba Version 4.7.4.
>>
>> More details of the same problem (not solved) at this mailing list
>> post https://lists.samba.org/archive/samba/2018-January/213333.html
>>
>>>
>>> When im activating this Policys (no errors or something like that)
>>> nothing happend.
>>>
>>> I reboot two Domain Members (Windows 7). Still showing last
username
>>> and CTRL + ALT + DEL. Also typed "gpudate /force",
didn't help. Also
>>> rejoined the clients.
>>>
>>> I configured the SYSVOL replication with this guide:
>>>
>>>
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>>>
>>>
>>> Tell me what information you need if isn't enough.
>>>
>>> I hope you can help!
>>>
>>> Thanks
>>>
>>> Micha
>>>
>>>
>>>
>>
>>
> I don't recommend modifying the default domain or default domain
> controllers policy. Create separate ones and apply to either site or OU.
If you change the filter from "authorized users" to a group or user ou must change the permission for the GPO. For mor then two years you must give the "domain comouters" the permission to read the GPO. Am 06.02.18 um 20:27 schrieb Micha Ballmann via samba:> Thanks for help, > > this is a new domain controller without any modifcations, except one > GPO. I have the "Default Domain Policy" and created an addtional GPO, > named "test_something". Both are linked at the top of the domain. I > configured at the "test_something" GPO: > > # Interactive logon: Do not require CTRL + ALT + DEL -> activate > > # Interactive login: Do not displa last user name -> activate > > Security Filter, by default: > > * Authenticated Users > > Delegation Tab, also by default: > > * Authenticated Users > * Domain Admins > * Enterprise Admins > * ServerLogon > * SYSTEM > > gpresult /v shows: > > ############################ > > > Betriebssystem Microsoft (R) Windows (R) > Gruppenrichtlinienergebnis-Tool v2.0 > Copyright (C) Microsoft Corp. 1981-2001 > > Am 06.02.2018, um 20:01:46 erstellt > > > > RSOP-Daten fr ROOTRUDI\<User> auf CLIENTWIN701: Protokollmodus > --------------------------------------------------------------- > > Betriebssystemkonfiguration: Mitglied der Dom„ne/Arbeitsgruppe > Betriebssystemversion: 6.1.7601 > Standortname: Nicht zutreffend > Zwischengespeichertes Profil:Nicht zutreffend > Lokales Profil: C:\Users\<User> > Langsame Verbindung? Nein > > > BENUTZEREINSTELLUNGEN > ---------------------- > CN=Bj”rn <User>,CN=Users,DC=rootrudi,DC=de > Letzte Gruppenrichtlinienanwendung: 06.02.2018, um 20:01:12 > Gruppenrichtlinieanwendung von: dc2.rootrudi.de > Schwellenwert fr langsame Verbindung:500 kbps > Dom„nenname: ROOTRUDI > Dom„nentyp: Windows 2000 > > *Angewendete Gruppenrichtlinienobjekte** > ** --------------------------------------** > ** Default Domain Policy** > ** test_something* > > Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet. > ---------------------------------------------------------------------- > Richtlinien der lokalen Gruppe > Filterung: Nicht angewendet (Leer) > > Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen > ---------------------------------------------------------- > Domain Users > Jeder > Benutzer > INTERAKTIV > KONSOLENANMELDUNG > Authentifizierte Benutzer > Diese Organisation > LOKAL > mitarbeiter > rzm > Mittlere Verbindlichkeitsstufe > > Der Benutzer verfgt ber folgende Berechtigungen > ------------------------------------------------- > > > Richtlinienergebnissatz fr Benutzer > ------------------------------------- > > Softwareinstallationen > ---------------------- > Nicht zutreffend > > Anmeldeskripts > -------------- > Nicht zutreffend > > Abmeldeskripts > -------------- > Nicht zutreffend > > Richtlinien ”ffentlicher Schlssel > ---------------------------------- > Nicht zutreffend > > Administrative Vorlagen > ----------------------- > Nicht zutreffend > > Ordnerumleitung > --------------- > Nicht zutreffend > > Internet Explorer-Browserbenutzerschnittstelle > ---------------------------------------------- > Nicht zutreffend > > Internet Explorer-Verbindung > ---------------------------- > Nicht zutreffend > > Internet Explorer-URLs > ---------------------- > Nicht zutreffend > > Internet Explorer-Sicherheit > ---------------------------- > Nicht zutreffend > > Internet Explorer-Programme > --------------------------- > Nicht zutreffend > > ############################ > > You see*test_something *was loaded corrctly, but the options i set up > are not working. > > "gpresult /H GPReport.html" shows the same. > > https://www.uni-landau.de/MichaB/gpresult.html > > Thy for help! > Micha > > > > > > > > > # Interactive login: Do not displa last user name -> activate > > > Am 06.02.2018 um 19:52 schrieb lingpanda101 via samba: >> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote: >>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote: >>>> Hello, >>>> >>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT >>>> Kerberos (clean, not upgraded). I just wan to create/activating a >>>> simple GPOs. >>>> >>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate >>>> >>>> # Interactive login: Do not displa last user name -> activate >>> >>> >>> These look like machine level GPO. See the output of >>> >>> gpresult /v >>> >>> Mine say that machine based GPOs are not applied because of "Denied >>> (Security)" and the GPO is the default one (This is a test domain) >>> where the filter is for "Authenticated Users" and that include >>> machine accounts. >>> >>> Running Samba Version 4.7.4. >>> >>> More details of the same problem (not solved) at this mailing list >>> post https://lists.samba.org/archive/samba/2018-January/213333.html >>> >>>> >>>> When im activating this Policys (no errors or something like that) >>>> nothing happend. >>>> >>>> I reboot two Domain Members (Windows 7). Still showing last >>>> username and CTRL + ALT + DEL. Also typed "gpudate /force", didn't >>>> help. Also rejoined the clients. >>>> >>>> I configured the SYSVOL replication with this guide: >>>> >>>> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround >>>> >>>> >>>> Tell me what information you need if isn't enough. >>>> >>>> I hope you can help! >>>> >>>> Thanks >>>> >>>> Micha >>>> >>>> >>>> >>> >>> >> I don't recommend modifying the default domain or default domain >> controllers policy. Create separate ones and apply to either site or OU. >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail. Weiter Informationen unter http://www.gnupg.org Mein Schlüssel liegt auf hkp://subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180207/e87077bf/signature.sig>