Web lists-archives.com

Re: [Samba] GPOs not Working!

On 02/06/2018 03:20 PM, lingpanda101 via samba wrote:
On 2/6/2018 2:03 PM, Robert Marcano via samba wrote:
On 02/06/2018 02:52 PM, lingpanda101 via samba wrote:
On 2/6/2018 1:42 PM, Robert Marcano via samba wrote:
On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote:

i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT Kerberos (clean, not upgraded). I just wan to create/activating a simple GPOs.

# Interactive logon: Do not require CTRL + ALT + DEL -> activate

# Interactive login: Do not displa last user name -> activate

These look like machine level GPO. See the output of

  gpresult /v

Mine say that machine based GPOs are not applied because of "Denied (Security)" and the GPO is the default one (This is a test domain) where the filter is for "Authenticated Users" and that include machine accounts.

Running Samba Version 4.7.4.

More details of the same problem (not solved) at this mailing list post https://lists.samba.org/archive/samba/2018-January/213333.html

When im activating this Policys (no errors or something like that) nothing happend.

I reboot two Domain Members (Windows 7). Still showing last username and CTRL + ALT + DEL. Also typed "gpudate /force", didn't help. Also rejoined the clients.

I configured the SYSVOL replication with this guide:


Tell me what information you need if isn't enough.

I hope you can help!



I don't recommend modifying the default domain or default domain controllers policy. Create separate ones and apply to either site or OU.

Thanks for the information, to use a default GPO was a simple way to try to encourage someone to reproduce the problem.

I already created new GPOs (this is a test domain) Using the default filter for a new GPO, "Authenticated users", creating a new group for the test clients and using that as the filter, checking it have the right permissions (apply), checking every guide about applying GPO to computers. Using OUs and using domain level GPOs.

What I find weird is that gpresult doesn't list the computer as a member of groups I create, only a few predefined ones:

  This company,
  and something like "mandatory level of no trust" (Windows is not in

I think I understand a bit more. You are attempting to modify the Security Filtering from Authenticated Users to a manually created group? From my testing this for some reason does not work. At least for me. GPO's will not apply.  That doesn't mean I'm not able to apply machine account GPO's though. Am I correct?

On my initial test I was just trying to set a computer level GPO, It didn't work (on default GPO or new GPOs), I did not modified the default filter that a GPO have. I created new GPOs, and new groups as a test if some other configuration worked.

Another response just received say I should not call sysvolreset after creating GPOs. I don't remember at what time I used sysvolreset trying to make these GPOs to be applied, so I will need to test again.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba