On Tue, 6 Feb 2018 15:03:16 -0400 Robert Marcano via samba <samba at lists.samba.org> wrote:> Thanks for the information, to use a default GPO was a simple way to > try to encourage someone to reproduce the problem. > > I already created new GPOs (this is a test domain) Using the default > filter for a new GPO, "Authenticated users", creating a new group for > the test clients and using that as the filter, checking it have the > right permissions (apply), checking every guide about applying GPO to > computers. Using OUs and using domain level GPOs. > > What I find weird is that gpresult doesn't list the computer as a > member of groups I create, only a few predefined ones: > > NULL SID > NT AUTHORITY\NETWORK, > This company, > and something like "mandatory level of no trust" (Windows is not in > english) >Do not alter the two default GPOs, it doesn't work ;-) Creating new GPOs should work, just do not run sysvolreset after creating them. Rowland
On 02/06/2018 03:13 PM, Rowland Penny via samba wrote:> On Tue, 6 Feb 2018 15:03:16 -0400 > Robert Marcano via samba <samba at lists.samba.org> wrote: > >> Thanks for the information, to use a default GPO was a simple way to >> try to encourage someone to reproduce the problem. >> >> I already created new GPOs (this is a test domain) Using the default >> filter for a new GPO, "Authenticated users", creating a new group for >> the test clients and using that as the filter, checking it have the >> right permissions (apply), checking every guide about applying GPO to >> computers. Using OUs and using domain level GPOs. >> >> What I find weird is that gpresult doesn't list the computer as a >> member of groups I create, only a few predefined ones: >> >> NULL SID >> NT AUTHORITY\NETWORK, >> This company, >> and something like "mandatory level of no trust" (Windows is not in >> english) >> > > Do not alter the two default GPOs, it doesn't work ;-) > > Creating new GPOs should work, just do not run sysvolreset after > creating them.Thanks. I will resurrect the VMs I was using to test Samba as an AD and will report again. Note: I find it weird that creating GPOs result in "samba-tool ntacl sysvolcheck" errors and ẗhat "sysvolreset - Reset sysvol ACLs to defaults (including correct ACLs on GPOs)." should not be used> > Rowland > > >
On Feb 6, 2018 3:23 PM, "Robert Marcano" <robert at marcanoonline.com> wrote: On 02/06/2018 03:13 PM, Rowland Penny via samba wrote:> On Tue, 6 Feb 2018 15:03:16 -0400 > Robert Marcano via samba <samba at lists.samba.org> wrote: > > Thanks for the information, to use a default GPO was a simple way to >> try to encourage someone to reproduce the problem. >> >> I already created new GPOs (this is a test domain) Using the default >> filter for a new GPO, "Authenticated users", creating a new group for >> the test clients and using that as the filter, checking it have the >> right permissions (apply), checking every guide about applying GPO to >> computers. Using OUs and using domain level GPOs. >> >> What I find weird is that gpresult doesn't list the computer as a >> member of groups I create, only a few predefined ones: >> >> NULL SID >> NT AUTHORITY\NETWORK, >> This company, >> and something like "mandatory level of no trust" (Windows is not in >> english) >> >> > Do not alter the two default GPOs, it doesn't work ;-) > > Creating new GPOs should work, just do not run sysvolreset after > creating them. >Tested again with a new GPO, no filtering changes, gpresult still says denied for the computer account Thanks. I will resurrect the VMs I was using to test Samba as an AD and will report again. Note: I find it weird that creating GPOs result in "samba-tool ntacl sysvolcheck" errors and ẗhat "sysvolreset - Reset sysvol ACLs to defaults (including correct ACLs on GPOs)." should not be used> Rowland > > >