net ads gpo refresh machinename net_ads_gpo_refresh() calls: -> ads_find_samaccount() on the passed in machinename to return the flags and dn from the LDAP query on: &(objectclass=user)(sAMAccountName="machinename")) It then uses the returned dn to call: ads_get_gpo_list() -> ads_get_gpo_list_internal() -> if (flags & GPO_LIST_FLAG_MACHINE) ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn); This will always return the site of the connected LDAP server, not the site of the machine account we're querying. Found by Roman Sorokin <rsorokin@google.com>
This looks useful link: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/5c7ecdad-469f-4b30-94b3-450b7fff868f
I believe this is the gpo fetch process: # net ads gpo list machine$ .. ldap_search_ext_s() base=[dc=ATEST,dc=COM] filter=[(&(objectclass=user)(sAMAccountName=machine$))] attr[userAccountControl] //1. ldapsearch to find DN .. machine: 'machine$' has dn: 'CN=machine,OU=test,DC=atest,DC=com' //2. Finds DN .. ldap_search_ext_s() base=[CN=machine,OU=test,DC=atest,DC=com] filter=[(objectclass=*)] attr[objectSid] scope=[0] //3. ldapsearch on base=DN .. ldap_search_ext_s() base=[OU=test,DC=atest,DC=com] filter=[(objectclass=*)] attr[gPLink] scope=[0] //4. Performs ldapsearch on Container finds gPLink .. gPLink: [LDAP://cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=syste m,DC=atest,DC=com;0][LDAP://cn={6AC1786C-016F-11D2-945F-00C04fB984F9},cn=poli cies,cn=system,DC=atest,DC=com;0][LDAP://cn={903A8BD0-126B-4BF1-8F20-FEE155EA DDC4},cn=policies,cn=system,DC=atest,DC=com;2] //5. gPLink of Container .. ldap_search_ext_s() base=[cn={903A8BD0-126B-4BF1-8F20-FEE155EADDC4},cn=policies,cn=system,DC=atest,DC=com] filter=[(objectclass=*)] attr[cn] //6,7,8. ldapsearch on each GPO GUID .. Then it goes to base container: ldap_search_ext_s() base=[DC=atest,DC=com] filter=[(objectclass=*)] attr[gPLink] scope=[0] //9. ldapsearch on base This does not look correct.. GPO's on machine account inside OU might not be same as parent on OU..
Though after # net ads gpo refresh list returns compelte list of GPOs associated with machine account # net ads gpo list machine-name$ all name: Local Policy displayname: Local Policy version: 0 (0x00000000) version_user: 0 (0x0000) version_machine: 0 (0x0000) filesyspath: (null) dspath: (null) options: 0 GPFLAGS_ALL_ENABLED link: (null) link_type: 5 machine_extensions: (null) user_extensions: (null) name: {31B2F340-<>-11D2-945F-<>} displayname: Default Domain Policy version: 262147 (0x00040003) version_user: 4 (0x0004) version_machine: 3 (0x0003) filesyspath: \\<>\sysvol\atest.com\Policies\{<>} dspath: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=<>,DC=com options: 0 GPFLAGS_ALL_ENABLED link: DC=atest,DC=com link_type: 3 GP_LINK_DOMAIN machine_extensions: [{<>}{<>}][{<>}{<>}][{<>}{<>}] name: {6AC1786C-<>-11D2-945F-<>} displayname: Default Domain Controllers Policy version: 2 (0x00000002) version_user: 0 (0x0000) version_machine: 2 (0x0002) filesyspath: \\atest.com\sysvol\atest.com\Policies\{<>} dspath: cn={6AC1786C-016F-11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=atest,DC=com options: 0 GPFLAGS_ALL_ENABLED link: OU=test-Computers,DC=atest,DC=com link_type: 4 GP_LINK_OU machine_extensions: [{8<>}{<>}] name: {<>} displayname: test-Computers-GPO-1 <<<<<<Newly created enforced GPO version: 0 (0x00000000) version_user: 0 (0x0000) version_machine: 0 (0x0000) filesyspath: \\atest.com\SysVol\<>\Policies\{<>} dspath: cn={0c7ebe47-2264-4a4c-868c-b31cddc999b5},cn=policies,cn=system,DC=atest,DC=com options: 0 GPFLAGS_ALL_ENABLED link: OU=test-Computers,DC=atest,DC=com link_type: 4 GP_LINK_OU machine_extensions: (null) user_extensions: (null) security descriptor: