Bug 5480 - default domain policy is forced enforced
Summary: default domain policy is forced enforced
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: x86 Windows XP
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Andrew Bartlett
Depends on:
Reported: 2008-05-21 13:17 UTC by mike wilkinson
Modified: 2008-07-03 02:51 UTC (History)
2 users (show)

See Also:

Do not provision Default Domain Policy as initially enforced. (1.01 KB, patch)
2008-05-21 21:34 UTC, Andrew Kroeger
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mike wilkinson 2008-05-21 13:17:23 UTC
Both the release tarball 4.0.0alpha3 and 4.0.0alpha4-GIT-0c09d28 both force the default domain policy as enforced, there's no way to disable it with Active Directory Users & Computers or Group Policy Management tools (the menu item is disabled).
Comment 1 mike wilkinson 2008-05-21 13:22:53 UTC
they also force the default domain policy to be enabled, again there's no way to disable the policy.
Comment 2 Andrew Kroeger 2008-05-21 21:34:39 UTC
Created attachment 3303 [details]
Do not provision Default Domain Policy as initially enforced.

The attached patch makes the Default Domain Policy settings match those of Windows: not Enforced, Link Enabled.  It is still "locked" in the sense that it cannot be changed via the GUI.

Until the proper fix can be found to allow changing via the GUI, the following workaround will allow the setting to be changed if needed:

1) As root, run "ldbedit -H /usr/local/samba/private/sam.ldb"

2) Search for "gPLink".  There is initially only one.  If there are more than one, find the one associated with the the Samba4 realm name (e.g. realm EXAMPLE.COM -> distinguishedName: DC=example,DC=com)

3) The value of the gPLink attribute ends with ";#]" where # represents the digit 0, 1, 2, or 3.  The value of that digit affects the behavior:

  - 0: Not Enforced,     Link Enabled
  - 1: Not Enforced, Not Link Enabled
  - 2:     Enforced,     Link Enabled
  - 3:     Enforced, Not Link Enabled

4) Once the digit has been changed, exit the editor and ldbedit will commit the changes.
Comment 3 Andrew Kroeger 2008-05-21 21:38:42 UTC
Regarding comment #1:  The Default Domain Policy does default to enabled, however it can be changed when using the Group Policy Management MMC.

Under Forest->Domains->(Domain Name)->Group Policy Objects, right-click on Default Domain Policy & look under the GPO Status submenu.
Comment 4 mike wilkinson 2008-05-21 22:32:08 UTC
(In reply to comment #3)
Ah sorry, Link Enabled is the setting that's forced. I should have double checked the exact spelling, please forgive.

GPM->Forest->Domains->###->Linked Group Policy Objects, right click on the default policy, and Link Enabled is grayed out.

Also it appears we can't link any new policies at the domain level, 'Create and Link a GPO Here...", as well as "Link an existing GPO..." are both grayed out from right click on GPM->Forest->Domains->###.

Comment 5 Andrew Kroeger 2008-05-21 22:51:44 UTC
Although I'm not sure, I think the inability to create/link GPO's at the domain level is part of the same issue that won't let you change the Enforced/Link Enabled attributes on the Default Domain Policy.

BTW... My patch from comment #2 has now been been applied.
Comment 6 Matthias Dieter Wallnöfer 2008-07-03 02:51:35 UTC
Okay, if I understood it right, the problem with the enforced group policy is fixed. So I'm going to close this one.
The other issue, only the "Default Group Policy" as group policy object available in the domain object I've posted in bug #4900.