[Samba] GPO Computer settings not applied
Pavel Valach
valach.pavel at outlook.com
Fri Mar 29 16:31:11 MDT 2013
Huh,
that fixed it!
I must admit I tripped over this command somewhere, it just seemed too destructive to me. Good thing it exists though :)
Thanks!
Pavel
________________________________
> Date: Fri, 29 Mar 2013 16:01:51 -0500
> Subject: Re: [Samba] GPO Computer settings not applied
> From: ricky.nance at weaubleau.k12.mo.us
> To: valach.pavel at outlook.com
> CC: samba at lists.samba.org
>
>
> Have you tried samba-tool ntacl sysvolreset yet?
>
> Ricky
>
> On Mar 29, 2013 2:16 PM, "Pavel Valach"
> <valach.pavel at outlook.com<mailto:valach.pavel at outlook.com>> wrote:
> Hello,
> I'm having one strange issue with latest stable Samba 4.0.4. I'm
> testing it as a domain controller for two virtual machines.
> The Samba AD DC is Debian stable, with two domain members - Windows XP
> Pro and trial Windows 8 Enterprise.
> User configuration using GPOs is working as expected. However, Computer
> configuration is never applied properly. Event logs show this entry:
> ------
> Source: GroupPolicy (Microsoft-Windows-GroupPolicy)
> Event ID: 1058
> EventData
> SupportInfo1 4
> SupportInfo2 820
> ProcessingMode 0
> ProcessingTimeInMilliseconds 516
> ErrorCode 5
> ErrorDescription Access is denied.
> DCName debian-server.gym.internal
> GPOCNName
> cn={CE7B09A1-D85A-4A40-9C2F-3DD0DA013345},cn=policies,cn=system,DC=gym,DC=internal
> FilePath
> \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini
> The processing of Group Policy failed. Windows attempted to read the
> file
> \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini
> from a domain controller and was not successful. Group Policy settings
> may not be applied until this event is resolved. This issue may be
> transient and could be caused by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
> controller has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
> ------
> a) Name resolution works, gym.internal is accessible and DNS query for
> gym.internal returns correct result.
> b) File gpt.ini is readable with following content:
> ------
> [General]
> Version=3
> displayName=Nový objekt zásad skupiny
> ------
> c) Distributed File System is not enabled on my VMs.
> I'm suspecting a possible problem with permissions. I have already tried to:
> 1) link GPO to the proper domain / OU
> 2) reboot computer several times
> 3) set various permissions for various people
> Currently I have two GPOs which modify computer settings. "Default
> Domain Policy" and "Nejaka nastaveni pro ucebnu". Neither of them show
> up in the GPRESULT report. "Default Domain Policy" modify both user and
> computer configuration, "Nejaka nastaveni pro ucebnu" modify only
> computer configuration.
> Permissions for "Nejaka nastaveni pro ucebnu":
> - Authenticated Users - Read (from Security Filtering) - Not Inherited
> - Domain Admins - Edit settings, delete, modify security - Not Inherited
> - Enterprise Admins - Edit settings, delete, modify security - Not Inherited
> - ServerLogon - Read - Not Inherited
> - SYSTEM - Edit settings, delete, modify security - Not Inherited
> Here is result of GPRESULT /R command that ran on the Win8 VM. On
> Windows XP, Computer Settings had N/A security groups - which is weird.
> =====
> RSOP data for GYM\valachp on UC01-TEST : Logging Mode
> ------------------------------------------------------
> OS Configuration: Member Workstation
> OS Version: 6.2.9200
> Site Name: N/A
> Roaming Profile: N/A
> Local Profile: C:\Users\valachp
> Connected over a slow link?: No
> COMPUTER SETTINGS
> ------------------
> CN=UC01-TEST,OU=Ucebny,DC=gym,DC=internal
> Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
> Group Policy was applied from: debian-server.gym.internal
> Group Policy slow link threshold: 500 kbps
> Domain Name: WINDOWS-UJ49S6B
> Domain Type: WindowsNT 4
> Applied Group Policy Objects
> -----------------------------
> N/A
> The following GPOs were not applied because they were filtered out
> -------------------------------------------------------------------
> Local Group Policy
> Filtering: Not Applied (Empty)
> The computer is a part of the following security groups
> -------------------------------------------------------
> System Mandatory Level
> Everyone
> BUILTIN\Users
> NT AUTHORITY\SERVICE
> CONSOLE LOGON
> NT AUTHORITY\Authenticated Users
> This Organization
> BDESVC
> BITS
> CertPropSvc
> DsmSvc
> Eaphost
> hkmsvc
> IKEEXT
> iphlpsvc
> LanmanServer
> MMCSS
> MSiSCSI
> NcaSvc
> RasAuto
> RasMan
> RemoteAccess
> Schedule
> SCPolicySvc
> SENS
> SessionEnv
> SharedAccess
> ShellHWDetection
> SystemEventsBroker
> wercplsupport
> Winmgmt
> wlidsvc
> wuauserv
> LOCAL
> BUILTIN\Administrators
> USER SETTINGS
> --------------
> CN=Pavel Valach,CN=Users,DC=gym,DC=internal
> Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
> Group Policy was applied from: debian-server.gym.internal
> Group Policy slow link threshold: 500 kbps
> Domain Name: GYM
> Domain Type: Windows 2000
> Applied Group Policy Objects
> -----------------------------
> Default Domain Policy
> Zásady pro studenty
> The following GPOs were not applied because they were filtered out
> -------------------------------------------------------------------
> Local Group Policy
> Filtering: Not Applied (Empty)
> The user is a part of the following security groups
> ---------------------------------------------------
> Domain Users
> Everyone
> BUILTIN\Users
> NT AUTHORITY\INTERACTIVE
> CONSOLE LOGON
> NT AUTHORITY\Authenticated Users
> This Organization
> LOCAL
> Studenti
> Medium Mandatory Level
> =====
> Well, I think that's enough for now... I'd very appreciate if someone
> could take a look at this. I hope it's just me overlooking something so
> simple.
> If you need any other information, please let me know.
> Thanks and best regards
> -Pavel
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list