[Samba] GPO Computer settings not applied

Ricky Nance ricky.nance at weaubleau.k12.mo.us
Fri Mar 29 15:01:51 MDT 2013


Have you tried samba-tool ntacl sysvolreset yet?

Ricky
On Mar 29, 2013 2:16 PM, "Pavel Valach" <valach.pavel at outlook.com> wrote:

> Hello,
> I'm having one strange issue with latest stable Samba 4.0.4. I'm testing
> it as a domain controller for two virtual machines.
> The Samba AD DC is Debian stable, with two domain members - Windows XP Pro
> and trial Windows 8 Enterprise.
> User configuration using GPOs is working as expected. However, Computer
> configuration is never applied properly. Event logs show this entry:
> ------
> Source: GroupPolicy (Microsoft-Windows-GroupPolicy)
> Event ID: 1058
> EventData
>  SupportInfo1 4
>  SupportInfo2 820
>  ProcessingMode 0
>  ProcessingTimeInMilliseconds 516
>  ErrorCode 5
>  ErrorDescription Access is denied.
>  DCName debian-server.gym.internal
>  GPOCNName
> cn={CE7B09A1-D85A-4A40-9C2F-3DD0DA013345},cn=policies,cn=system,DC=gym,DC=internal
>  FilePath
> \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini
> The processing of Group Policy failed. Windows attempted to read the file
> \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini
> from a domain controller and was not successful. Group Policy settings may
> not be applied until this event is resolved. This issue may be transient
> and could be caused by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
> controller has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
> ------
> a) Name resolution works, gym.internal is accessible and DNS query for
> gym.internal returns correct result.
> b) File gpt.ini is readable with following content:
> ------
> [General]
> Version=3
> displayName=Nový objekt zásad skupiny
> ------
> c) Distributed File System is not enabled on my VMs.
> I'm suspecting a possible problem with permissions. I have already tried
> to:
> 1) link GPO to the proper domain / OU
> 2) reboot computer several times
> 3) set various permissions for various people
> Currently I have two GPOs which modify computer settings. "Default Domain
> Policy" and "Nejaka nastaveni pro ucebnu". Neither of them show up in the
> GPRESULT report. "Default Domain Policy" modify both user and computer
> configuration, "Nejaka nastaveni pro ucebnu" modify only computer
> configuration.
> Permissions for "Nejaka nastaveni pro ucebnu":
> - Authenticated Users - Read (from Security Filtering) - Not Inherited
> - Domain Admins - Edit settings, delete, modify security - Not Inherited
> - Enterprise Admins - Edit settings, delete, modify security - Not
> Inherited
> - ServerLogon - Read - Not Inherited
> - SYSTEM - Edit settings, delete, modify security - Not Inherited
> Here is result of GPRESULT /R command that ran on the Win8 VM. On Windows
> XP, Computer Settings had N/A security groups - which is weird.
> =====
> RSOP data for GYM\valachp on UC01-TEST : Logging Mode
> ------------------------------------------------------
> OS Configuration: Member Workstation
> OS Version: 6.2.9200
> Site Name: N/A
> Roaming Profile: N/A
> Local Profile: C:\Users\valachp
> Connected over a slow link?: No
> COMPUTER SETTINGS
> ------------------
>  CN=UC01-TEST,OU=Ucebny,DC=gym,DC=internal
>  Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
>  Group Policy was applied from: debian-server.gym.internal
>  Group Policy slow link threshold: 500 kbps
>  Domain Name: WINDOWS-UJ49S6B
>  Domain Type: WindowsNT 4
>  Applied Group Policy Objects
>  -----------------------------
>  N/A
>  The following GPOs were not applied because they were filtered out
>  -------------------------------------------------------------------
>  Local Group Policy
>  Filtering: Not Applied (Empty)
>  The computer is a part of the following security groups
>  -------------------------------------------------------
>  System Mandatory Level
>  Everyone
>  BUILTIN\Users
>  NT AUTHORITY\SERVICE
>  CONSOLE LOGON
>  NT AUTHORITY\Authenticated Users
>  This Organization
>  BDESVC
>  BITS
>  CertPropSvc
>  DsmSvc
>  Eaphost
>  hkmsvc
>  IKEEXT
>  iphlpsvc
>  LanmanServer
>  MMCSS
>  MSiSCSI
>  NcaSvc
>  RasAuto
>  RasMan
>  RemoteAccess
>  Schedule
>  SCPolicySvc
>  SENS
>  SessionEnv
>  SharedAccess
>  ShellHWDetection
>  SystemEventsBroker
>  wercplsupport
>  Winmgmt
>  wlidsvc
>  wuauserv
>  LOCAL
>  BUILTIN\Administrators
> USER SETTINGS
> --------------
>  CN=Pavel Valach,CN=Users,DC=gym,DC=internal
>  Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
>  Group Policy was applied from: debian-server.gym.internal
>  Group Policy slow link threshold: 500 kbps
>  Domain Name: GYM
>  Domain Type: Windows 2000
>  Applied Group Policy Objects
>  -----------------------------
>  Default Domain Policy
>  Zásady pro studenty
>  The following GPOs were not applied because they were filtered out
>  -------------------------------------------------------------------
>  Local Group Policy
>  Filtering: Not Applied (Empty)
>  The user is a part of the following security groups
>  ---------------------------------------------------
>  Domain Users
>  Everyone
>  BUILTIN\Users
>  NT AUTHORITY\INTERACTIVE
>  CONSOLE LOGON
>  NT AUTHORITY\Authenticated Users
>  This Organization
>  LOCAL
>  Studenti
>  Medium Mandatory Level
> =====
> Well, I think that's enough for now... I'd very appreciate if someone
> could take a look at this. I hope it's just me overlooking something so
> simple.
> If you need any other information, please let me know.
> Thanks and best regards
> -Pavel
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list