Author Topic: GPO's under user configuration  (Read 842 times)

Leo Moss

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
GPO's under user configuration
« on: January 04, 2021, 02:43:11 pm »
Hello all, i have zentyal 6.2 and trying to do GPO's under USER CONFIGURATION but nothing work's ( it works under COMPUTER CONFIGURATION) im missing something?  Clients are W10

badapple7

  • Zen Apprentice
  • *
  • Posts: 26
  • Karma: +10/-0
    • View Profile
Re: GPO's under user configuration
« Reply #1 on: January 05, 2021, 10:30:03 pm »
create gpo on rsat?? or samba-tool gpo? the new policies its present in sysvol? check present gpo with samba-tool gpo listall.

Leo Moss

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: GPO's under user configuration
« Reply #2 on: January 06, 2021, 02:16:50 pm »
im creating the GPO's on RSAT, it is showed on SYSVOL, on event viewer of clients there is no errors related with gpo and if u do a gpresult the gpo is there but nothing happens. ( not even a simple gpo to  map a drive )

badapple7

  • Zen Apprentice
  • *
  • Posts: 26
  • Karma: +10/-0
    • View Profile
Re: GPO's under user configuration
« Reply #3 on: January 17, 2021, 03:17:56 am »
im creating the GPO's on RSAT, it is showed on SYSVOL, on event viewer of clients there is no errors related with gpo and if u do a gpresult the gpo is there but nothing happens. ( not even a simple gpo to  map a drive )

I think "fast" solution is delete this gpo and create new one, if also dont work, could be permissions problem, please post results;

samba-tool gpo listall
samba-tool gpo show (uid gpo)
getfacl /var/lib/samba/sysvol/yourdomain/Policies/selectyougpo

Leo Moss

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: GPO's under user configuration
« Reply #4 on: January 21, 2021, 06:29:26 pm »
im creating the GPO's on RSAT, it is showed on SYSVOL, on event viewer of clients there is no errors related with gpo and if u do a gpresult the gpo is there but nothing happens. ( not even a simple gpo to  map a drive )

I think "fast" solution is delete this gpo and create new one, if also dont work, could be permissions problem, please post results;

samba-tool gpo listall
samba-tool gpo show (uid gpo)
getfacl /var/lib/samba/sysvol/yourdomain/Policies/selectyougpo

Sadly this is happening with every GPO under USER CONFIGURATION.
This is a new gpo trying to MAP a drive (SYSVOL) where everyone has RO
 
 samba-tool gpo show {350F6B90-53FB-4609-8EC8-1788A79AB62D}
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.CONTACTCENTER.COM<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name ROSDC002.contactcenter.com<0x20>
GPO          : {350F6B90-53FB-4609-8EC8-1788A79AB62D}
display name : MAP DRIVE
path         : \\contactcenter.com\SysVol\contactcenter.com\Policies\{350F6B90-53FB-4609-8EC8-1788A79AB62D}
dn           : CN={350F6B90-53FB-4609-8EC8-1788A79AB62D},CN=Policies,CN=System,DC=contactcenter,DC=com
version      : 262144
flags        : NONE
ACL          : <hidden>


getfacl /var/lib/samba/sysvol/contactcenter.com/Policies/{350F6B90-53FB-4609-8EC8-1788A79AB62D}
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/contactcenter.com/Policies/{350F6B90-53FB-4609-8EC8-1788A79AB62D}
# owner: CONTACTCENTER\134da-leonmosq
# group: CONTACTCENTER\134domain\040admins
user::rwx
user:CONTACTCENTER\134da-leonmosq:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000010:r-x
user:3000019:r-x
group::rwx
group:CONTACTCENTER\134domain\040admins:rwx
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
group:CONTACTCENTER\134enterprise\040admins:rwx
group:NT\040AUTHORITY\134serverlogon:r-x
group:CONTACTCENTER\134domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:CONTACTCENTER\134da-leonmosq:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000010:r-x
default:user:3000019:r-x
default:group::---
default:group:CONTACTCENTER\134domain\040admins:rwx
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:group:CONTACTCENTER\134enterprise\040admins:rwx
default:group:NT\040AUTHORITY\134serverlogon:r-x
default:group:CONTACTCENTER\134domain\040computers:r-x
default:mask::rwx
default:other::---









doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: GPO's under user configuration
« Reply #5 on: January 25, 2021, 01:42:58 pm »
  :o

I tried to configure a user based GPO and I had the same issue you reported.

GPRESULT shows all right but the GPO doesn't  seem to run.

(I added delegation for Domain Computers (r) and Domain Users (r). )

Windows 10 Pro.  1607 (OS Build 14393.0)
Zentyal 6.2

Code: [Select]
General
hide
User name ZENTYAL-DOMAIN\admindc
Domain zentyal-domain.lan
Security Group Membership
hide
ZENTYAL-DOMAIN\Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
ZENTYAL-DOMAIN\Domain Admins
ZENTYAL-DOMAIN\Denied RODC Password Replication Group
Mandatory Label\High Mandatory Level

...

Group Policy Objects
hide
Applied GPOs
hide
testgpo [{02594854-7656-40C7-AC4A-0E41B183E334}]
hide
Link Location zentyal-domain.lan
Extensions Configured Group Policy Drive Maps
Group Policy Infrastructure
Enforced No
Disabled None
Security Filters NT AUTHORITY\Authenticated Users
Revision AD (10), SYSVOL (10)
WMI Filter

Code: [Select]
#  samba-tool gpo show {02594854-7656-40C7-AC4A-0E41B183E334}
...
GPO          : {02594854-7656-40C7-AC4A-0E41B183E334}
display name : testgpo
path         : \\zentyal-domain.lan\SysVol\zentyal-domain.lan\Policies\{02594854-7656-40C7-AC4A-0E41B183E334}
dn           : CN={02594854-7656-40C7-AC4A-0E41B183E334},CN=Policies,CN=System,DC=zentyal-domain,DC=lan
version      : 655360
flags        : NONE
ACL          : <hidden>


Code: [Select]
getfacl /var/lib/samba/sysvol/zentyal-domain.lan/Policies/\{02594854-7656-40C7-AC4A-0E41B183E334\}
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/zentyal-domain.lan/Policies/{02594854-7656-40C7-AC4A-0E41B183E334}
# owner: ZENTYAL-DOMAIN\134admindc
# group: ZENTYAL-DOMAIN\134domain\040admins
user::rwx
user:ZENTYAL-DOMAIN\134admindc:rwx
user:3000002:rwx
user:3000003:r-x
user:3000007:rwx
user:3000010:r-x
user:3000018:r-x
group::rwx
group:ZENTYAL-DOMAIN\134domain\040admins:rwx
group:ZENTYAL-DOMAIN\134domain\040users:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
group:ZENTYAL-DOMAIN\134enterprise\040admins:rwx
group:NT\040AUTHORITY\134serverlogon:r-x
group:ZENTYAL-DOMAIN\134domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:ZENTYAL-DOMAIN\134admindc:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000007:rwx
default:user:3000010:r-x
default:user:3000018:r-x
default:group::---
default:group:ZENTYAL-DOMAIN\134domain\040admins:rwx
default:group:ZENTYAL-DOMAIN\134domain\040users:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:group:ZENTYAL-DOMAIN\134enterprise\040admins:rwx
default:group:NT\040AUTHORITY\134serverlogon:r-x
default:group:ZENTYAL-DOMAIN\134domain\040computers:r-x
default:mask::rwx
default:other::---


Could be I forgotten some evident thing?

Cheers!

« Last Edit: January 25, 2021, 01:46:07 pm by doncamilo »
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

badapple7

  • Zen Apprentice
  • *
  • Posts: 26
  • Karma: +10/-0
    • View Profile
Re: GPO's under user configuration
« Reply #6 on: January 27, 2021, 04:18:14 am »
Sorry for the time, please post;

wbinfo --uid-info= (all user)

Leo Moss

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: GPO's under user configuration
« Reply #7 on: January 27, 2021, 03:36:33 pm »
Sorry for the time, please post;

wbinfo --uid-info= (all user)

This is de cmld? thx in advance 4 your help

root@rosdc001:/home/administrator# wbinfo --uid-info= all user
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash

badapple7

  • Zen Apprentice
  • *
  • Posts: 26
  • Karma: +10/-0
    • View Profile
Re: GPO's under user configuration
« Reply #8 on: January 27, 2021, 06:12:12 pm »
  Sorry man;


  wbinfo --uid-info= 3000002
  wbinfo --uid-info= 3000003
  wbinfo --uid-info= 3000007
  wbinfo --uid-info= 3000010
  wbinfo --uid-info= 3000019

Leo Moss

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: GPO's under user configuration
« Reply #9 on: January 29, 2021, 04:23:25 pm »
  Sorry man;


  wbinfo --uid-info= 3000002
  wbinfo --uid-info= 3000003
  wbinfo --uid-info= 3000007
  wbinfo --uid-info= 3000010
  wbinfo --uid-info= 3000019

root@rosdc001:/home/administrator# wbinfo --uid-info=3000002
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000002
root@rosdc001:/home/administrator# wbinfo --uid-info=3000003
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000003
root@rosdc001:/home/administrator# wbinfo --uid-info=3000007
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000007
root@rosdc001:/home/administrator# wbinfo --uid-info=3000010
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000010
root@rosdc001:/home/administrator# wbinfo --uid-info=3000019
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000019

badapple7

  • Zen Apprentice
  • *
  • Posts: 26
  • Karma: +10/-0
    • View Profile
Re: GPO's under user configuration
« Reply #10 on: January 30, 2021, 05:48:28 am »
Hi leo, you have syntax error in   
Quote
wbinfo --uid-info=3000002

sintax ok :wbinfo --uid-info= 3000002

------

I thinks in other possible solution, if not we will return to the terminal :-(

ok I think in delete gpo, but the next (on rsat admin, very easy );

well now I use "gpo_new" for example;



deleting gpo;




the next is very important, sometimes after delete the  gpo, if you verify with samba-tool gpo listall, It is there, from rsat we do not see it but it is still there .. for continue easy use editor adsi for delete gpo




the gpo is deleted really!!!

now create new gpo but, Not for "users" or "user authenticated ", you search  "groups" for gpo "active"






if all this process does not work, then we will have to work on the shell, but remember to check the syntax.

                                                                     
« Last Edit: January 30, 2021, 05:51:59 am by badapple7 »

Leo Moss

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: GPO's under user configuration
« Reply #11 on: January 31, 2021, 06:17:35 pm »
Hi leo, you have syntax error in   
Quote
wbinfo --uid-info=3000002

sintax ok :wbinfo --uid-info= 3000002
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000002
failed to call wbcGetpwuid: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not get info for uid 0
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000003
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000007
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000010
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash
root@rosdc001:/home/administrator# wbinfo --uid-info= 3000019
CONTACTCENTER\administrator:*:0:2513::/home/administrator:/bin/bash

now create new gpo but, Not for "users" or "user authenticated ", you search  "groups" for gpo "active"                                                                   

i could delete the gpo but i didnt understood this quite well.. i createad a new gpo.. delete Authenticated users from scope and added a group of mine the user that is trying to "map drive" belongs to this group.
I tried but didnt work :(

Leo Moss

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: GPO's under user configuration
« Reply #12 on: February 22, 2021, 04:35:19 pm »
any ideas? :(

badapple7

  • Zen Apprentice
  • *
  • Posts: 26
  • Karma: +10/-0
    • View Profile
Re: GPO's under user configuration
« Reply #13 on: February 27, 2021, 11:16:04 pm »
sorry man, for the time, my english is ver bad, after delete of gpo, cretate an new gpo, but for groups, normally the gpo is created for "user authenticated"


---

other opcion is reset sysvol on samba-tool

https://wiki.samba.org/index.php/Sysvolreset