Both the release tarball 4.0.0alpha3 and 4.0.0alpha4-GIT-0c09d28 both force the default domain policy as enforced, there's no way to disable it with Active Directory Users & Computers or Group Policy Management tools (the menu item is disabled).
they also force the default domain policy to be enabled, again there's no way to disable the policy.
Created attachment 3303 [details]
Do not provision Default Domain Policy as initially enforced.
The attached patch makes the Default Domain Policy settings match those of Windows: not Enforced, Link Enabled. It is still "locked" in the sense that it cannot be changed via the GUI.
Until the proper fix can be found to allow changing via the GUI, the following workaround will allow the setting to be changed if needed:
1) As root, run "ldbedit -H /usr/local/samba/private/sam.ldb"
2) Search for "gPLink". There is initially only one. If there are more than one, find the one associated with the the Samba4 realm name (e.g. realm EXAMPLE.COM -> distinguishedName: DC=example,DC=com)
3) The value of the gPLink attribute ends with ";#]" where # represents the digit 0, 1, 2, or 3. The value of that digit affects the behavior:
- 0: Not Enforced, Link Enabled
- 1: Not Enforced, Not Link Enabled
- 2: Enforced, Link Enabled
- 3: Enforced, Not Link Enabled
4) Once the digit has been changed, exit the editor and ldbedit will commit the changes.
Regarding comment #1: The Default Domain Policy does default to enabled, however it can be changed when using the Group Policy Management MMC.
Under Forest->Domains->(Domain Name)->Group Policy Objects, right-click on Default Domain Policy & look under the GPO Status submenu.
(In reply to comment #3)
Ah sorry, Link Enabled is the setting that's forced. I should have double checked the exact spelling, please forgive.
GPM->Forest->Domains->###->Linked Group Policy Objects, right click on the default policy, and Link Enabled is grayed out.
Also it appears we can't link any new policies at the domain level, 'Create and Link a GPO Here...", as well as "Link an existing GPO..." are both grayed out from right click on GPM->Forest->Domains->###.
Although I'm not sure, I think the inability to create/link GPO's at the domain level is part of the same issue that won't let you change the Enforced/Link Enabled attributes on the Default Domain Policy.
BTW... My patch from comment #2 has now been been applied.
Okay, if I understood it right, the problem with the enforced group policy is fixed. So I'm going to close this one.
The other issue, only the "Default Group Policy" as group policy object available in the domain object I've posted in bug #4900.