Le 28/04/2023 ? 01:03, Andrew Bartlett via samba a
?crit?:> On Thu, 2023-04-27 at 18:18 +0200, Arnaud FLORENT via samba wrote:
>> so it looks that 2016 domain functional level is required for this...
>> i think i update the schema successfully with the 6 new attributes
>>
>>
>> but unfortunately, the policy is not applied
>>
>> event log on windows 10 client says
>>
>> "LAPS password encryption is required but the Active Directory
domain
>> is
>> not yet at 2016 domain functional level. The password was not
>> updated
>> and no changes will be made until this is corrected."
>>
>>
>> this new implementation requires 2016 domain functional level...
> Is there any information on why the client requires the domain to be at
> this functional level?
no this is the only message i get from windows event log.
it also says
See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.
i guess it is related to password encryption gpo setting
this setting help says:
When you enable this setting, the managed password is encrypted before
being sent to Active Directory.
Enabling this setting has no effect unless 1) the password has been
configured to be backed up to Active Directory and 2) the Active
Directory domain functional level is at Windows Server 2016 or above.
If this setting is enabled, and the domain functional level is at or
above Windows Server 2016, the managed account password is encrypted.
If this setting is enabled, and the domain functional level is less than
Windows Server 2016, the managed account password is not backed up to
the directory.
If this setting is disabled, the managed account password is not encrypted.
This setting will default to enabled if not configured.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
i will try do disable this setting.
>
> In the past the LAPS feature was built around old AD features and
> maintained from the client, any information on what the server is
> required to do would be very helpful.
>
> I would note that nothing, technically, forces us not to lie to the
> client!
>
> If we know what this needs specifically we could potentially implement
> that and allow the administrator to, at their own risk, return a higher
> FL to the client for example.
>
> Finally, I would note that making this 'just work' - ideally with
the
> schema included out-of-the-box - might be a good task for someone to
> commission from a Samba commercial support provider.
>
> Andrew Bartlett
>
--
Arnaud FLORENT
IRIS Technologies