samba - Feb 2018 - GPOs not Working!

On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
>> Hello,
>>
>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT 
>> Kerberos (clean, not upgraded). I just wan to create/activating a 
>> simple GPOs.
>>
>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate
>>
>> # Interactive login: Do not displa last user name -> activate
>
>
> These look like machine level GPO. See the output of
>
>   gpresult /v
>
> Mine say that machine based GPOs are not applied because of "Denied 
> (Security)" and the GPO is the default one (This is a test domain) 
> where the filter is for "Authenticated Users" and that include
machine
> accounts.
>
> Running Samba Version 4.7.4.
>
> More details of the same problem (not solved) at this mailing list 
> post https://lists.samba.org/archive/samba/2018-January/213333.html
>
>>
>> When im activating this Policys (no errors or something like that) 
>> nothing happend.
>>
>> I reboot two Domain Members (Windows 7). Still showing last username 
>> and CTRL + ALT + DEL. Also typed "gpudate /force", didn't
help. Also
>> rejoined the clients.
>>
>> I configured the SYSVOL replication with this guide:
>>
>>
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>>
>>
>> Tell me what information you need if isn't enough.
>>
>> I hope you can help!
>>
>> Thanks
>>
>> Micha
>>
>>
>>
>
>
I don't recommend modifying the default domain or default domain 
controllers policy. Create separate ones and apply to either site or OU.

-- 
--
James

On 02/06/2018 02:52 PM, lingpanda101 via samba wrote:
> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
>>> Hello,
>>>
>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT
>>> Kerberos (clean, not upgraded). I just wan to create/activating a 
>>> simple GPOs.
>>>
>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate
>>>
>>> # Interactive login: Do not displa last user name -> activate
>>
>>
>> These look like machine level GPO. See the output of
>>
>>   gpresult /v
>>
>> Mine say that machine based GPOs are not applied because of
"Denied
>> (Security)" and the GPO is the default one (This is a test domain)
>> where the filter is for "Authenticated Users" and that
include machine
>> accounts.
>>
>> Running Samba Version 4.7.4.
>>
>> More details of the same problem (not solved) at this mailing list 
>> post https://lists.samba.org/archive/samba/2018-January/213333.html
>>
>>>
>>> When im activating this Policys (no errors or something like that) 
>>> nothing happend.
>>>
>>> I reboot two Domain Members (Windows 7). Still showing last
username
>>> and CTRL + ALT + DEL. Also typed "gpudate /force",
didn't help. Also
>>> rejoined the clients.
>>>
>>> I configured the SYSVOL replication with this guide:
>>>
>>>
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>>>
>>>
>>> Tell me what information you need if isn't enough.
>>>
>>> I hope you can help!
>>>
>>> Thanks
>>>
>>> Micha
>>>
>>>
>>>
>>
>>
> I don't recommend modifying the default domain or default domain 
> controllers policy. Create separate ones and apply to either site or OU.
> 
Thanks for the information, to use a default GPO was a simple way to try 
to encourage someone to reproduce the problem.

I already created new GPOs (this is a test domain) Using the default 
filter for a new GPO, "Authenticated users", creating a new group for 
the test clients and using that as the filter, checking it have the 
right permissions (apply), checking every guide about applying GPO to 
computers. Using OUs and using domain level GPOs.

What I find weird is that gpresult doesn't list the computer as a member 
of groups I create, only a few predefined ones:

   NULL SID
   NT AUTHORITY\NETWORK,
   This company,
   and something like "mandatory level of no trust" (Windows is not in
english)

On Tue, 6 Feb 2018 15:03:16 -0400
Robert Marcano via samba <samba at lists.samba.org> wrote:
> Thanks for the information, to use a default GPO was a simple way to
> try to encourage someone to reproduce the problem.
> 
> I already created new GPOs (this is a test domain) Using the default 
> filter for a new GPO, "Authenticated users", creating a new group
for
> the test clients and using that as the filter, checking it have the 
> right permissions (apply), checking every guide about applying GPO to 
> computers. Using OUs and using domain level GPOs.
> 
> What I find weird is that gpresult doesn't list the computer as a
> member of groups I create, only a few predefined ones:
> 
>    NULL SID
>    NT AUTHORITY\NETWORK,
>    This company,
>    and something like "mandatory level of no trust" (Windows is
not in
> english)
> 
Do not alter the two default GPOs, it doesn't work ;-)

Creating new GPOs should work, just do not run sysvolreset after
creating them.

Rowland

On 2/6/2018 2:03 PM, Robert Marcano via samba wrote:
> On 02/06/2018 02:52 PM, lingpanda101 via samba wrote:
>> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
>>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
>>>> Hello,
>>>>
>>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 -
MIT
>>>> Kerberos (clean, not upgraded). I just wan to create/activating
a
>>>> simple GPOs.
>>>>
>>>> # Interactive logon: Do not require CTRL + ALT + DEL ->
activate
>>>>
>>>> # Interactive login: Do not displa last user name ->
activate
>>>
>>>
>>> These look like machine level GPO. See the output of
>>>
>>>   gpresult /v
>>>
>>> Mine say that machine based GPOs are not applied because of
"Denied
>>> (Security)" and the GPO is the default one (This is a test
domain)
>>> where the filter is for "Authenticated Users" and that
include
>>> machine accounts.
>>>
>>> Running Samba Version 4.7.4.
>>>
>>> More details of the same problem (not solved) at this mailing list 
>>> post https://lists.samba.org/archive/samba/2018-January/213333.html
>>>
>>>>
>>>> When im activating this Policys (no errors or something like
that)
>>>> nothing happend.
>>>>
>>>> I reboot two Domain Members (Windows 7). Still showing last 
>>>> username and CTRL + ALT + DEL. Also typed "gpudate
/force", didn't
>>>> help. Also rejoined the clients.
>>>>
>>>> I configured the SYSVOL replication with this guide:
>>>>
>>>>
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>>>>
>>>>
>>>> Tell me what information you need if isn't enough.
>>>>
>>>> I hope you can help!
>>>>
>>>> Thanks
>>>>
>>>> Micha
>>>>
>>>>
>>>>
>>>
>>>
>> I don't recommend modifying the default domain or default domain 
>> controllers policy. Create separate ones and apply to either site or
OU.
>>
> Thanks for the information, to use a default GPO was a simple way to 
> try to encourage someone to reproduce the problem.
>
> I already created new GPOs (this is a test domain) Using the default 
> filter for a new GPO, "Authenticated users", creating a new group
for
> the test clients and using that as the filter, checking it have the 
> right permissions (apply), checking every guide about applying GPO to 
> computers. Using OUs and using domain level GPOs.
>
> What I find weird is that gpresult doesn't list the computer as a 
> member of groups I create, only a few predefined ones:
>
>   NULL SID
>   NT AUTHORITY\NETWORK,
>   This company,
>   and something like "mandatory level of no trust" (Windows is
not in
> english)
>
>
>
I think I understand a bit more. You are attempting to modify the 
Security Filtering from Authenticated Users to a manually created group?
>From my testing this for some reason does not work. At least for me. 
GPO's will not apply.  That doesn't mean I'm not able to apply
machine
account GPO's though. Am I correct?

-- 
--
James

Thanks for help,

this is a new domain controller without any modifcations, except one 
GPO. I have the "Default Domain Policy" and created an addtional GPO, 
named "test_something". Both are linked at the top of the domain. I 
configured at the "test_something" GPO:

# Interactive logon: Do not require CTRL + ALT + DEL -> activate

# Interactive login: Do not displa last user name -> activate

Security Filter, by default:

  * Authenticated Users

Delegation Tab, also by default:

  * Authenticated Users
  * Domain Admins
  * Enterprise Admins
  * ServerLogon
  * SYSTEM

gpresult /v shows:

############################


Betriebssystem Microsoft (R) Windows (R) Gruppenrichtlinienergebnis-Tool 
v2.0
Copyright (C) Microsoft Corp. 1981-2001

Am 06.02.2018, um 20:01:46 erstellt



RSOP-Daten fr ROOTRUDI\<User> auf CLIENTWIN701: Protokollmodus
---------------------------------------------------------------

Betriebssystemkonfiguration: Mitglied der Dom„ne/Arbeitsgruppe
Betriebssystemversion:       6.1.7601
Standortname:                Nicht zutreffend
Zwischengespeichertes Profil:Nicht zutreffend
Lokales Profil:              C:\Users\<User>
Langsame Verbindung?         Nein


BENUTZEREINSTELLUNGEN
----------------------
     CN=Bj”rn <User>,CN=Users,DC=rootrudi,DC=de
     Letzte Gruppenrichtlinienanwendung:   06.02.2018, um 20:01:12
     Gruppenrichtlinieanwendung von:       dc2.rootrudi.de
     Schwellenwert fr langsame Verbindung:500 kbps
     Dom„nenname:                          ROOTRUDI
     Dom„nentyp:                           Windows 2000

*Angewendete Gruppenrichtlinienobjekte**
**    --------------------------------------**
**        Default Domain Policy**
**        test_something*

     Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet.
----------------------------------------------------------------------
         Richtlinien der lokalen Gruppe
             Filterung:  Nicht angewendet (Leer)

     Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
     ----------------------------------------------------------
         Domain Users
         Jeder
         Benutzer
         INTERAKTIV
         KONSOLENANMELDUNG
         Authentifizierte Benutzer
         Diese Organisation
         LOKAL
         mitarbeiter
         rzm
         Mittlere Verbindlichkeitsstufe

     Der Benutzer verfgt ber folgende Berechtigungen
     -------------------------------------------------


     Richtlinienergebnissatz fr Benutzer
     -------------------------------------

         Softwareinstallationen
         ----------------------
             Nicht zutreffend

         Anmeldeskripts
         --------------
             Nicht zutreffend

         Abmeldeskripts
         --------------
             Nicht zutreffend

         Richtlinien ”ffentlicher Schlssel
         ----------------------------------
             Nicht zutreffend

         Administrative Vorlagen
         -----------------------
             Nicht zutreffend

         Ordnerumleitung
         ---------------
             Nicht zutreffend

         Internet Explorer-Browserbenutzerschnittstelle
         ----------------------------------------------
             Nicht zutreffend

         Internet Explorer-Verbindung
         ----------------------------
             Nicht zutreffend

         Internet Explorer-URLs
         ----------------------
             Nicht zutreffend

         Internet Explorer-Sicherheit
         ----------------------------
             Nicht zutreffend

         Internet Explorer-Programme
         ---------------------------
             Nicht zutreffend

############################

You see*test_something *was loaded corrctly, but the options i set up are not
working.

"gpresult /H GPReport.html" shows the same.

https://www.uni-landau.de/MichaB/gpresult.html

Thy for help!
Micha



  




# Interactive login: Do not displa last user name -> activate


Am 06.02.2018 um 19:52 schrieb lingpanda101 via samba:
> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
>>> Hello,
>>>
>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT
>>> Kerberos (clean, not upgraded). I just wan to create/activating a 
>>> simple GPOs.
>>>
>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate
>>>
>>> # Interactive login: Do not displa last user name -> activate
>>
>>
>> These look like machine level GPO. See the output of
>>
>>   gpresult /v
>>
>> Mine say that machine based GPOs are not applied because of
"Denied
>> (Security)" and the GPO is the default one (This is a test domain)
>> where the filter is for "Authenticated Users" and that
include
>> machine accounts.
>>
>> Running Samba Version 4.7.4.
>>
>> More details of the same problem (not solved) at this mailing list 
>> post https://lists.samba.org/archive/samba/2018-January/213333.html
>>
>>>
>>> When im activating this Policys (no errors or something like that) 
>>> nothing happend.
>>>
>>> I reboot two Domain Members (Windows 7). Still showing last
username
>>> and CTRL + ALT + DEL. Also typed "gpudate /force",
didn't help. Also
>>> rejoined the clients.
>>>
>>> I configured the SYSVOL replication with this guide:
>>>
>>>
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>>>
>>>
>>> Tell me what information you need if isn't enough.
>>>
>>> I hope you can help!
>>>
>>> Thanks
>>>
>>> Micha
>>>
>>>
>>>
>>
>>
> I don't recommend modifying the default domain or default domain 
> controllers policy. Create separate ones and apply to either site or OU.

If you change the filter from "authorized users" to a group or user ou
must change the permission for the GPO. For mor then two years you must
give the "domain comouters" the permission to read the GPO.


Am 06.02.18 um 20:27 schrieb Micha Ballmann via samba:
> Thanks for help,
>
> this is a new domain controller without any modifcations, except one
> GPO. I have the "Default Domain Policy" and created an addtional
GPO,
> named "test_something". Both are linked at the top of the domain.
I
> configured at the "test_something" GPO:
>
> # Interactive logon: Do not require CTRL + ALT + DEL -> activate
>
> # Interactive login: Do not displa last user name -> activate
>
> Security Filter, by default:
>
>  * Authenticated Users
>
> Delegation Tab, also by default:
>
>  * Authenticated Users
>  * Domain Admins
>  * Enterprise Admins
>  * ServerLogon
>  * SYSTEM
>
> gpresult /v shows:
>
> ############################
>
>
> Betriebssystem Microsoft (R) Windows (R)
> Gruppenrichtlinienergebnis-Tool v2.0
> Copyright (C) Microsoft Corp. 1981-2001
>
> Am 06.02.2018, um 20:01:46 erstellt
>
>
>
> RSOP-Daten fr ROOTRUDI\<User> auf CLIENTWIN701: Protokollmodus
> ---------------------------------------------------------------
>
> Betriebssystemkonfiguration: Mitglied der Dom„ne/Arbeitsgruppe
> Betriebssystemversion:       6.1.7601
> Standortname:                Nicht zutreffend
> Zwischengespeichertes Profil:Nicht zutreffend
> Lokales Profil:              C:\Users\<User>
> Langsame Verbindung?         Nein
>
>
> BENUTZEREINSTELLUNGEN
> ----------------------
>     CN=Bj”rn <User>,CN=Users,DC=rootrudi,DC=de
>     Letzte Gruppenrichtlinienanwendung:   06.02.2018, um 20:01:12
>     Gruppenrichtlinieanwendung von:       dc2.rootrudi.de
>     Schwellenwert fr langsame Verbindung:500 kbps
>     Dom„nenname:                          ROOTRUDI
>     Dom„nentyp:                           Windows 2000
>
> *Angewendete Gruppenrichtlinienobjekte**
> **    --------------------------------------**
> **        Default Domain Policy**
> **        test_something*
>
>     Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet.
> ----------------------------------------------------------------------
>         Richtlinien der lokalen Gruppe
>             Filterung:  Nicht angewendet (Leer)
>
>     Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
>     ----------------------------------------------------------
>         Domain Users
>         Jeder
>         Benutzer
>         INTERAKTIV
>         KONSOLENANMELDUNG
>         Authentifizierte Benutzer
>         Diese Organisation
>         LOKAL
>         mitarbeiter
>         rzm
>         Mittlere Verbindlichkeitsstufe
>
>     Der Benutzer verfgt ber folgende Berechtigungen
>     -------------------------------------------------
>
>
>     Richtlinienergebnissatz fr Benutzer
>     -------------------------------------
>
>         Softwareinstallationen
>         ----------------------
>             Nicht zutreffend
>
>         Anmeldeskripts
>         --------------
>             Nicht zutreffend
>
>         Abmeldeskripts
>         --------------
>             Nicht zutreffend
>
>         Richtlinien ”ffentlicher Schlssel
>         ----------------------------------
>             Nicht zutreffend
>
>         Administrative Vorlagen
>         -----------------------
>             Nicht zutreffend
>
>         Ordnerumleitung
>         ---------------
>             Nicht zutreffend
>
>         Internet Explorer-Browserbenutzerschnittstelle
>         ----------------------------------------------
>             Nicht zutreffend
>
>         Internet Explorer-Verbindung
>         ----------------------------
>             Nicht zutreffend
>
>         Internet Explorer-URLs
>         ----------------------
>             Nicht zutreffend
>
>         Internet Explorer-Sicherheit
>         ----------------------------
>             Nicht zutreffend
>
>         Internet Explorer-Programme
>         ---------------------------
>             Nicht zutreffend
>
> ############################
>
> You see*test_something *was loaded corrctly, but the options i set up
> are not working.
>
> "gpresult /H GPReport.html" shows the same.
>
> https://www.uni-landau.de/MichaB/gpresult.html
>
> Thy for help!
> Micha
>
>
>
>  
>
>
>
>
> # Interactive login: Do not displa last user name -> activate
>
>
> Am 06.02.2018 um 19:52 schrieb lingpanda101 via samba:
>> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
>>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:
>>>> Hello,
>>>>
>>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 -
MIT
>>>> Kerberos (clean, not upgraded). I just wan to create/activating
a
>>>> simple GPOs.
>>>>
>>>> # Interactive logon: Do not require CTRL + ALT + DEL ->
activate
>>>>
>>>> # Interactive login: Do not displa last user name ->
activate
>>>
>>>
>>> These look like machine level GPO. See the output of
>>>
>>>   gpresult /v
>>>
>>> Mine say that machine based GPOs are not applied because of
"Denied
>>> (Security)" and the GPO is the default one (This is a test
domain)
>>> where the filter is for "Authenticated Users" and that
include
>>> machine accounts.
>>>
>>> Running Samba Version 4.7.4.
>>>
>>> More details of the same problem (not solved) at this mailing list
>>> post https://lists.samba.org/archive/samba/2018-January/213333.html
>>>
>>>>
>>>> When im activating this Policys (no errors or something like
that)
>>>> nothing happend.
>>>>
>>>> I reboot two Domain Members (Windows 7). Still showing last
>>>> username and CTRL + ALT + DEL. Also typed "gpudate
/force", didn't
>>>> help. Also rejoined the clients.
>>>>
>>>> I configured the SYSVOL replication with this guide:
>>>>
>>>>
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>>>>
>>>>
>>>> Tell me what information you need if isn't enough.
>>>>
>>>> I hope you can help!
>>>>
>>>> Thanks
>>>>
>>>> Micha
>>>>
>>>>
>>>>
>>>
>>>
>> I don't recommend modifying the default domain or default domain
>> controllers policy. Create separate ones and apply to either site or
OU.
>
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail.
Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180207/e87077bf/signature.sig>