Policies via Group and policies linked to OU doesn't works

UCS - Univention Corporate Server
#1

There is a huge problem.

Seems that Policies in OU’s doesn’t work. I’ve create them via RSAT and link properly. Checked it twice even in clean install. Any idea what can it be?

Every change in policy linked to OU make an error:

`samba-tool ntacl sysvolcheck` returned a problem with the sysvol ACLs.

STDOUT:
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/test.local/Policies/{DA2B6029-BF3D-4967-B1CA-A76FB3CACA49}/Machine/Registry.pol O:S-1-5-21-485807191-1044838808-759050481-1116G:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;S-1-5-21-485807191-1044838808-759050481-1116)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/test.local/Policies/{DA2B6029-BF3D-4967-B1CA-A76FB3CACA49}/Machine/Registry.pol O:S-1-5-21-485807191-1044838808-759050481-1116G:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;S-1-5-21-485807191-1044838808-759050481-1116)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object

You can run `samba-tool ntacl sysvolreset` to fix the issue.

Edit:
I tried to apply policy for specific users using a group and I’ve link policy to domain but this method doesn’t work either.
Can anyone help how to apply policy for specific users not for all users in domain using UCS?

Edit 2:

After a clean install I have one error listed below. Is it normal? Can it be connected with described problem with OUs?

`samba-tool dbcheck` returned a problem with the local AD database.

STDOUT:
Checking 229 objects
ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=test,DC=local - ;;;;;;;;CN=Administrator,CN=Users,DC=test,DC=local
Not fixing SID component mismatch
Please use --fix to fix these errors
Checked 229 objects (1 errors)

You can run `samba-tool dbcheck --fix` to fix the issue.
#2

Still have the same problem and no idea how to make it works. What can be wrong?

Thats what I do:

  1. Create an OU.
  2. Create an user in an OU.
  3. Create a policy.
  4. Link a policy to an OU.

Is there smth I miss?

I have noticed that smth worked when I have added a computer also in the same OU, but it affected all users, also those out of OU. When I try apply a policy to users the policy is nor apply.

I have also a problem when I try to apply a policy for certaint group of users using a Group. This is what I do:

  1. Create a Group.
  2. Add user to Group.
  3. Create a Policie and link to a Domain.
  4. Add a Group to Security Filtering list.
  5. Modify Authenticated Users Security group access to the GPO just for read and not execute.

Any advice?

#3

Hey,

what kind of a policy are we talking about here? Meaning: which settings in the policy are you using?

Note that there are two types of settings in GPOs: user settings and machine settings. Machine settings are only applied to machines but not to users and vice versa: user settings aren’t applied to machines, only to users. So if you only modify machine settings in your GPO, then it doesn’t matter how many users are in the OU you’ve linked the GPO to as all those machine settings don’t apply to the users in said OU.

Kind regards
mosu

Mastodon