[Samba] Fixing sysvol permissions
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 20 09:52:34 UTC 2018
Hai Mark,
Sorry for the late reply, im prepairing for me holiday and i've lots of work finish, or i get called in my holiday..
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark
> Foley via samba
> Verzonden: maandag 18 juni 2018 18:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Fixing sysvol permissions
>
> On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle wrote:
> >
> > > OK, Everyone is currently set to FULL CONTROL. I'll set
> that to READ.
> >
> > Ai, now... Nobody can write over the share, pc's wil complain.
> > Some GPO setting will stop working.
>
> But, when I ran your samba-check-set-sysvol.sh script it told
> me to set EVERYONE: READ. See
> below:
>
> > > $ ./samba-check-set-sysvol.sh
> > > Review the file : default-rights-sysvol.acl, these contains
> > > the defaults for sysvol.
> > > The sysvol ACLS info.....
>
> > >
> > > Please check your share rights for sysvol from within windows.
> > > If these are incorrect, correct them and run this script again.
> > > Set your sysvol SHARE permissions as followed.
> > > EVERYONE: READ <----------------------------------
> > > Authenticated Users: FULL CONTROL
> > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> > > User/Group system is added compaired to a win2008R2 sysvol,
> > > you need this for some GPO
> > > settings.
> > >
> > > Set your sysvol FOLDER permissions as followed.
> > > Authenticated Users: Read & Exec, Show folder content, Read
> > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
>
> Perhaps I'm confusing Folder permissions and Share permissions.
No, im answered wrong here.
Whats posted is correct.
Set the "SHARE" permissions as above tells you.
>
> > Look here, and setup like that.
> >
> https://support.microsoft.com/nl-nl/help/2838154/permissions-f
> or-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th
>
> Problem: On that link, step 2 "Check whether the Listobject
> permission is set for the
> Authenticated Users group and whether the Authenticated Users
> group is missing from the
> Delegation tab of the Group Policy Object." When I edit
> 'Authenticated Users', I don't have
> that "Default Domain Controllers Policy" dialog. Or if I do,
> that link doesn't tell me how to
> get there.
>
> Let me list everything I've got:
>
> sysvol FOLDER Permissions:
>
> CREATOR OWNER
> special
> (Advanced) Subfolders and files only
> Full Control - everything is checked)
> (apply these permissions to objects and/or containers ... not checked)
>
> CREATOR GROUP Subfolders and files only
> special
> (Advanced) Subfolders and files only
> Traverse folder / execute file
> List folder / read data
> Read attributes
> Read extended attributes
> Read permissions
> (apply these permissions to objects and/or containers ... not checked)
>
> Authenticated Users
> Read & Execute
> List folder contents
> Read
> (Advanced) This folder, Subfolders and files
> Traverse folder / execute file
> List folder / read data
> Read attributes
> Read extended attributes
> Read permissions
> (apply these permissions to objects and/or containers ... not checked)
>
> SYSTEM
> Full control
> (advanced) This folder, subfolders and files
> full control - everything is checked
> (apply these permissions to objects and/or containers ... not checked)
>
> Administrators (HPRS\Administrators)
> Full control
> (advanced) This folder, subfolders and files
> full control - everything is checked
> (apply these permissions to objects and/or containers ... not checked)
>
> sysvol SHARE Permissions:
>
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> HPRS\Administrators: FULL CONTROL
> SYSTEM, FULL CONTROL
>
> Does this look correct? Is this what you have?
Yes, thats exact what i also have.
But ... Did you reapply all settings to all the subfolders after you applied them.
And what might be wrong, is you might try to apply u user setting for computer or computer setting for a user.
The difference is, which user is trying to access the file of the group policy.
A) computer = user SYSTEM that impersonates user COMPUTERNAME$
B) user = user You_Windows_User
>
> Nevertheless, when I try to log into a workstation as a
> domain user I still do not get that
> user's desktop. In the Windows eventlog Windows Logs >
> System, I get Event 1906 error,
> GroupPolicy:
>
> Error Description: Access is denied.
> GPOCName:
> LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=po
> licies,cn=system,DC=hprs,DC=local
> FilePath:
> \\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-91
> 85-DCD1AB359A3B}\User\registry.pol
>
> This is driving me crazy!
Yep know that, been there.
>
> --Mark
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Greetz,
Louis
More information about the samba
mailing list