Bug 13993 - Are we checking 'Allow-Enforced-GPOs-Only' parameter in GPO processing
Summary: Are we checking 'Allow-Enforced-GPOs-Only' parameter in GPO processing
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.10.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-14 08:50 UTC by Amit Kumar
Modified: 2019-06-14 08:50 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Amit Kumar 2019-06-14 08:50:40 UTC 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/5c7ecdad-469f-4b30-94b3-450b7fff868f

Describes about Allow-Enforced-GPOs-Only:

ldap client will retrieve Container GPOs [<GPO DN>;<GPLinkOptions>]

    <---gpLink format=[[<GPO DN 1>;<GPLinkOption>][<GPO DN 2>;<GPLinkOption>]]--

Algorithm:
    if(GPLinkOption not present for Directory String)
        Ignore gpo_dn
    if(GPLinkOption == 2){ enforced = True }else{ enforced = false }
    while (SOM_GP_LL != NULL) //traverse
        if(enforced = false && allow_enforced_gpo_only = false)
            Prepend this gpo_dn to Begg of NON_ENFORCED_GP_LL
            remove current gpo_dn from SOM_GP_LL
    while (SOM_GP_LL != NULL)
        Append current gpo_dn to end of ENFORCED_GP_LL
        remove current gpo_dn from SOM_GP_LL
    if (gpOptions == 1)  allow_enforced_gpo_only = 1
    while(NON_ENFORCED_GP_LL != NULL) //traverse
        Append to end of GP_LL
    while(ENFORCED_GP_LL != NULL) //traverse
        Append to end of GP_LL

But while looking into code and 
"net ads gpo list <user> -d 100" I am not able to find are we handling 'Allow-Enforced-GPOs-Only' or not?