I'm recentrly facing a problem when applying a simple Computer GPO to some Windows 7 workstations. All User GPOs are correctly applied to the workstations, while Computer GPOs don't. To restrict focus i've just tried to modify the Password Policy but even that policy cannot get applied to the workstations. The strange thing is that from the workstation point, all seem ok. In fact, forcing an policy update command like: c:\>gpupdate /force returns with both User and Computer policies correctly applied. BUT checking the effective password policy in the workstation returns the standard Domain policy instead the modified one (i've only modified the password lenght to 9). c:\>net accounts /domain Min. tra tempo limite e disconnessione imposta: Mai Durata minima della password (giorni): 1 Durata massima della password (giorni): 42 Lunghezza minima della password: **** 7 (instead of 9) Lunghezza cronologia della password: 24 Soglia di blocchi: Mai Durata dei blocchi (minuti): 30 Finestra di osservazione dei blocchi (minuti): 30 Ruolo del computer: PRIMARIO Esecuzione comando riuscita. I've tried to run samba-tool gpo aclcheck but got this output: ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run ds_sd_ndr = m['nTSecurityDescriptor'][0]
Does the problem still exist with a more recent version of Samba? The early 4.0 versions had some incorrect ACLs. If you update, please follow https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs to fix the ACLs. Please give a short feedback if the problem still exists in a recent version and which one you've tried. Thanks.
(In reply to comment #1) > Does the problem still exist with a more recent version of Samba? The early 4.0 > versions had some incorrect ACLs. > > If you update, please follow > https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs > to fix the ACLs. > > > Please give a short feedback if the problem still exists in a recent version > and which one you've tried. Thanks. I have tested with 4.1.11. Whilst I do not get the samba-tool python issue, I can confirm that the password policy GPO when configured is not applied. Other policy objects are applied, just not the password ones. Tested the GPO's against Windows XP, Windows 7 and Windows 8 - password complexity requirements, password length, history etc all remained at the defaults. This is after double checking all the policies applied. Whilst not the original submitter of this issue I am able to replicate 100% of the time. Happy to take any feedback as to providing any data for further diagnosis and resolution.
(In reply to comment #2) > Whilst I do not get the samba-tool python issue, I can confirm that the > password policy GPO when configured is not applied. Other policy objects are > applied, just not the password ones. Password policies can't be provided via GPO. Because they have to be validated on the DCs and Samba doesn't provides GPO support (yet). Currently there's no timeline, when this will be implemented. See: https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F You can only define password policies domain-wide via # samba-tool domain passwordsettings...
Loading GPOs on a DC itself is tracked in bug #6613...
not a bug. we even support PSO now.