See "Default Domain Policy" is listed twice. Default domain policy is non enforced. # net ads gpo list amitk-machine-2$ Enter root's password: machine: 'amitk-machine-2$' has dn: 'CN=amitk-machine-2,OU=test-Computers,DC=atest,DC=com' --------------------- name: Local Policy displayname: Local Policy version: 0 (0x00000000) version_user: 0 (0x0000) version_machine: 0 (0x0000) filesyspath: (null) dspath: (null) options: 0 GPFLAGS_ALL_ENABLED link: (null) link_type: 5 machine_extensions: (null) user_extensions: (null) --------------------- name: {31B2F340-<>-00C04FB984F9} displayname: Default Domain Policy version: 262147 (0x00040003) version_user: 4 (0x0004) version_machine: 3 (0x0003) filesyspath: \\atest.com\sysvol\atest.com\Policies\{31B2F340-<>-00C04FB984F9} dspath: CN={31B2F340-<>-00C04FB984F9},CN=Policies,CN=System,DC=atest,DC=com options: 0 GPFLAGS_ALL_ENABLED link: DC=atest,DC=com link_type: 3 GP_LINK_DOMAIN machine_extensions: [{a}{b}{c}{d}{e}] --------------------- name: [{a}{b}{c}{d}{e}] extension: a extension (name): Registry Settings snapin: b snapin (name): unknown2 extension: c extension (name): Security snapin: 803E14A0-B4FB-11D0-A0D0-00A0C90F574B snapin (name): Security Settings extension: d extension (name): EFS recovery snapin: e snapin (name): unknown2 user_extensions: [{a}{b}{c}{d}{e}] --------------------- name: [{g}{h}{i}{j}] extension: g extension (name): Registry Settings snapin: h snapin (name): Certificates extension: i extension (name): EFS recovery snapin: j snapin (name): Certificates security descriptor: --------------------- name: {31B2F340-<>-00C04FB984F9} displayname: Default Domain Policy version: 262147 (0x00040003) version_user: 4 (0x0004) version_machine: 3 (0x0003) filesyspath: \\atest.com\sysvol\atest.com\Policies\{31B2F340-<>-00C04FB984F9} dspath: cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=atest,DC=com options: 0 GPFLAGS_ALL_ENABLED link: OU=test-Computers,DC=atest,DC=com link_type: 4 GP_LINK_OU machine_extensions: [{a}{b}{c}{d}{e}] --------------------- name: [{a}{b}{c}{d}{e}] extension: a extension (name): Registry Settings snapin: b snapin (name): unknown2 extension: c extension (name): Security snapin: d snapin (name): Security Settings extension: e extension (name): EFS recovery snapin: f snapin (name): unknown2 user_extensions: [{g}{h}{i}{j}] --------------------- name: [{g}{h}{i}{j}] extension: g extension (name): Registry Settings snapin: h snapin (name): Certificates extension: i extension (name): EFS recovery snapin: j snapin (name): Certificates security descriptor: --------------------- name: {0C7EBE47-<>-B31CDDC999B5} displayname: test-Computers-GPO-1 version: 0 (0x00000000) version_user: 0 (0x0000) version_machine: 0 (0x0000) filesyspath: \\atest.com\SysVol\atest.com\Policies\{0C7EBE47-<>-B31CDDC999B5} dspath: cn={0c7ebe47-<>-b31cddc999b5},cn=policies,cn=system,DC=atest,DC=com options: 0 GPFLAGS_ALL_ENABLED link: OU=test-Computers,DC=atest,DC=com link_type: 4 GP_LINK_OU machine_extensions: (null) user_extensions: (null) security descriptor:
samba-4.10.4 I created - machine account(amitk-machine-2) inside OU=test-Computers,DC=atest,DC=com - Created and linked a GPO to amitk-machine-2 (test-computers-gpo-1) Now, amitk-machine-2 has 2 GPOs linked: 0c7ebe47-2264-4a4c-868c-b31cddc999b5 => test-computers-gpo-1 31B2F340-016D-11D2-945F-00C04FB984F9 => Default Domain Policy gp_link of OU=test-Computers,DC=atest,DC=com=> [LDAP://cn={0c7ebe47-2264-4a4c-868c-b31cddc999b5},cn=policies,cn=system,DC=atest,DC=com;2] [LDAP://cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=atest,DC=com;0] At execution of: # net ads gpo list amitk-machine-2$ ads_get_gpo_list_internal() { //libgpo/gpo_ldap.c .. dn = {CN=amitk-machine-2,OU=test-Computers,DC=atest,DC=com} parent_dn = {OU=test-Computers,DC=atest,DC=com} gp_link is parsed for parent_dn(OU=test-Computers,DC=atest,DC=com) status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); gp_link = [LDAP://cn={0c7ebe47-2264-4a4c-868c-b31cddc999b5},cn=policies,cn=system,DC=atest,DC=com;2][LDAP://cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=atest,DC=com;0] Retrieve GPOs at OU and Add both GPOs from gp_link to <<gpo_list>>. while ((parent_dn = ads_parent_dn(tmp_dn)) && (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) { .. status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, forced_gpo_list, parent_dn, &gp_link, GP_LINK_OU, add_only_forced_gpos, token); } <<<<But spec says after adding GPO it should be removed from Original list. Again same gp_link is passed for searching gpLinks associated with domain. tmp_dn = dn; //{CN=amitk-machine-2,OU=test-Computers,DC=atest,DC=com} parent_dn = {OU=test-Computers,DC=atest,DC=com} Again goes inside and adds OU specific GPOs to gpo_list. //This is a wrong Check (parent_dn = {OU=test-Computers,DC=atest,DC=com}) and strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) returns 0 everytime. ads_parent_dn(ads->config.bind_path))=[dc=COM] But I believe intention of this check was to retrieve parent_dn of OU not OU itself while ((parent_dn = ads_parent_dn(tmp_dn)) && (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) { .. status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, forced_gpo_list, parent_dn, &gp_link, GP_LINK_DOMAIN, add_only_forced_gpos, token); I believe there can be 2 ways to correct this: 1. Before 2nd while loop retrieve parent DN of OU. And enter only if dn is of domain. parent_dn = ads_parent_dn(tmp_dn); if(strncmp(parent_dn, "OU=", strlen("OU=")) == 0){ //if parent_dn contains OU, lets calculate 1 time more parent_dn parent_dn = ads_parent_dn(parent_dn); } while (parent_dn && (strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) { 2. Add an extra check that We are not looking at OU GPO Again while ((parent_dn = ads_parent_dn(tmp_dn)) && (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) && (strncmp(parent_dn, "OU=", strlen("OU="))) { /* (D)omain */ /* An account can just be a member of one domain */ if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) { ... }