GPO Question

Matthieu Patou mat at samba.org
Thu Apr 26 01:00:40 MDT 2012 

On 04/17/2012 03:13 AM, Jozef Wijers wrote:
>
>
> Hello Mat, (?)
>
> For some time I have been suffering from GPO
> issues. With the latest Alpha build, it works. Actually, it works
> partially.
>
> The problems start when one try's to edit the Group
> Policy's in a second administrator account, created afterwards. So
> Administrator itself works, and it can make changes. They apply.
>
> But
> now, imagine there is a second account, called "Admin". This one has
> exactly the same memberships as the Administrator account, including
> Group Policy Creator Owners. So, one expect he would be fine. So I
> opened the GP-Console, and started editing the the policy's. After I
> clicked save, I got a strange "NT_PERMISSION_DENIED" error. Okay.
> Permission Denied. No trouble anyway, expect the setted policy's are
> gone. No permission should be: no effect at all.
I explained this in another thread but basically the error is that 
default policies and policies created by administrator have a group 
ownership to "administrators" of which other admins member of the 
"domain admins" are not member.

>
> No. After this error,
> all GPO settings are completely gone. Even in the Administrator account,
> they are nowhere anymore. When I set them again, under Administrator,
> they persist. Note that, after the error, the policy's seems corrupted.
This is due in fact to the problem that you are granted at the NTACL 
level but not at the posix acl level in linux, there is not much that 
can be done right now but set quite broad posix permission on those folders.
>
> "gpupdate /force" errors out.
>
> I've heard some say, that you know
> what is happening here. They were talking about 4 things to do, before
> it works in other accounts. The only thing he (rixter) remembered, is
> that you had a chat for over a night for this issue. It had not just
> something to do with the ACL's, there was more, according to him.
So I highly recommend to read the other email I made a couple of days ago.
If you have any question feel fee to ask more details.

Regards.
Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list