Author Topic: Zentyal 6 - defined GPO's not applied on user logon  (Read 5614 times)

str3ss

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +3/-0
    • View Profile
Zentyal 6 - defined GPO's not applied on user logon
« on: July 15, 2019, 01:28:43 pm »
I'm working with Zentyal for almost 5 years in a network with 250 computers, without any major problems.
After I upgraded to v6 all rules defined via GPO's are not worked anymore. (which is very bad)
Now I have time and possibilities to test this issue.
So I installed a fresh new Zentyal 6 and defined some GPO's.(don't show Recycle bin on Desktop, don't allow access to the Control Panel).
Unfortunately none of them is applied at logon. It looks like any GPO are ignored.
I can't find anything related to this in the logs.

Any ideas are welcome.
 

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Zentyal 6 - defined GPO's not applied on user logon
« Reply #1 on: July 15, 2019, 02:57:32 pm »
 :)

It's really difficult to fix this issues without to have access to the client and the server.  I had this issue some months ago  and the problem was related with the Sysvol permissions (acls).

You should check the "gpresult" command on the client machine (run it with administrative privileges) in order to debug the issue.

Do you have some additional domain controllers? Could be you aren't replicated Sysvol on these additional controllers?

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

str3ss

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +3/-0
    • View Profile
Re: Zentyal 6 - defined GPO's not applied on user logon
« Reply #2 on: July 19, 2019, 12:57:16 pm »
doncamilo, thank you for your reply

Finally I got it to work.
After a fresh install on test environment, and a lot of debugging and searching, I found that the problem is related to UNC.
Searched on forum and I found an 2018 post about this issue, so 2 registry modifications solved my problem.

"HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "\\*\SYSVOL" -Value "RequireMutualAuthentication=0" -Property "String"
"HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" -Name "\\*\NETLOGON" -Value "RequireMutualAuthentication=0" -Property "String"

The original post is:
https://forum.zentyal.org/index.php/topic,32048.msg108290.html#msg108290

Thank you.
Great forum.

xelander

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Zentyal 6 - defined GPO's not applied on user logon
« Reply #3 on: August 16, 2019, 03:55:29 pm »
Hello,
I'm new to Zentyal and Windows AD, and I've just installed Zenytal 6.0 as a standalone Domain Controller (hostname master, domain insieme.lan) with roaming profiles enabled.

I successfully joined a Windows 10 VM to the domain (INSIEME) and created a new domain user (alex) with romaing profile (\\master.INSIEME.LAN\profiles\alex), and I have the same problem: GPO's are not applied on user logon.

I followed your suggestion and created the above registry keys, but it did not help.

Moreover, after I modified the default domain policy (I set password expiration to 42 days) and rebooted the W10 client, the roaming profile stopped working: on logon windows now complains about a problem with mobile profile and uses a saved local profile.

The event viewer says that User profile service is unable to access the server copy of the mobile profile, but the profile dir (/home/samba/profiles/alex and /home/samba/profiles/alex.V6) are still there (they were created by Windows on first logon), and I can access the profile path \\master.INSIEME.LAN\profiles\alex and \\master.INSIEME.LAN\profiles\alex.V6 using Explorer when logged in as user 'alex', so I cannot understand why Windows cannot find the profile.

I also created a "\\*\PROFILES" key similar to "\\*\SYSVOL" and "\\*\NETLOGON" above, but again with no result.
I also appended ",RequireIntegrity=0,RequirePrivacy=0" (from this post https://blogs.technet.microsoft.com/leesteve/2017/08/09/demystifying-the-unc-hardening-dilemma/) to the keys value, but nothing helped.

Does anyone have any suggestion?

Thanks,
Alessandro


 

« Last Edit: August 16, 2019, 06:18:05 pm by xelander »

xelander

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Zentyal 6 - defined GPO's not applied on user logon
« Reply #4 on: August 21, 2019, 09:39:10 am »
Upon further testing, I discovered that, with your workaround, GPO's do work: only the max password age setting doesn't work, so I changed it using samba-tool (samba-tool domain passwordsettings set --max-pwd-age=90).

Roaming profiles still give errors, so I disabled them and I suppose I will have live without them...

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Zentyal 6 - defined GPO's not applied on user logon
« Reply #5 on: August 21, 2019, 02:51:18 pm »
 :)

Don't give up so easily. Roaming profiles are a commonly used feature that should run rightly.
(The only issue I have found with roaming profiles is that they are windows version dependents)

Remove the user profile both on the windows client (System Properties > Advanced > User Profiles > Settings...  ) and on the Zentyal server ( simply remove the content of the desired profile folder )  and afterward log into the domain another time. It should do the task.

Cheers!




- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

xelander

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Zentyal 6 - defined GPO's not applied on user logon
« Reply #6 on: August 22, 2019, 09:58:56 pm »
Thank you, I will try your suggestion.
But if it works, then I'm bit worried: do I have to delete and recreate profiles every time I apply a new GPO? :'(

Cheers.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Zentyal 6 - defined GPO's not applied on user logon
« Reply #7 on: August 26, 2019, 01:01:00 pm »
 :)

No, the problem is surely that you had corrupted profiles after applying password policy with RSAT instead of samba-tool.

This shouldn't be recurrent.

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,