[Samba] GPO Computer settings not applied

Pavel Valach valach.pavel at outlook.com
Fri Mar 29 16:31:11 MDT 2013 

Huh,
that fixed it!

I must admit I tripped over this command somewhere, it just seemed too destructive to me. Good thing it exists though :)

Thanks!

Pavel

________________________________
> Date: Fri, 29 Mar 2013 16:01:51 -0500 
> Subject: Re: [Samba] GPO Computer settings not applied 
> From: ricky.nance at weaubleau.k12.mo.us 
> To: valach.pavel at outlook.com 
> CC: samba at lists.samba.org 
> 
> 
> Have you tried samba-tool ntacl sysvolreset yet? 
> 
> Ricky 
> 
> On Mar 29, 2013 2:16 PM, "Pavel Valach" 
> <valach.pavel at outlook.com<mailto:valach.pavel at outlook.com>> wrote: 
> Hello, 
> I'm having one strange issue with latest stable Samba 4.0.4. I'm 
> testing it as a domain controller for two virtual machines. 
> The Samba AD DC is Debian stable, with two domain members - Windows XP 
> Pro and trial Windows 8 Enterprise. 
> User configuration using GPOs is working as expected. However, Computer 
> configuration is never applied properly. Event logs show this entry: 
> ------ 
> Source: GroupPolicy (Microsoft-Windows-GroupPolicy) 
> Event ID: 1058 
> EventData 
> SupportInfo1 4 
> SupportInfo2 820 
> ProcessingMode 0 
> ProcessingTimeInMilliseconds 516 
> ErrorCode 5 
> ErrorDescription Access is denied. 
> DCName debian-server.gym.internal 
> GPOCNName 
> cn={CE7B09A1-D85A-4A40-9C2F-3DD0DA013345},cn=policies,cn=system,DC=gym,DC=internal 
> FilePath 
> \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini 
> The processing of Group Policy failed. Windows attempted to read the 
> file 
> \\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini 
> from a domain controller and was not successful. Group Policy settings 
> may not be applied until this event is resolved. This issue may be 
> transient and could be caused by one or more of the following: 
> a) Name Resolution/Network Connectivity to the current domain controller. 
> b) File Replication Service Latency (a file created on another domain 
> controller has not replicated to the current domain controller). 
> c) The Distributed File System (DFS) client has been disabled. 
> ------ 
> a) Name resolution works, gym.internal is accessible and DNS query for 
> gym.internal returns correct result. 
> b) File gpt.ini is readable with following content: 
> ------ 
> [General] 
> Version=3 
> displayName=Nový objekt zásad skupiny 
> ------ 
> c) Distributed File System is not enabled on my VMs. 
> I'm suspecting a possible problem with permissions. I have already tried to: 
> 1) link GPO to the proper domain / OU 
> 2) reboot computer several times 
> 3) set various permissions for various people 
> Currently I have two GPOs which modify computer settings. "Default 
> Domain Policy" and "Nejaka nastaveni pro ucebnu". Neither of them show 
> up in the GPRESULT report. "Default Domain Policy" modify both user and 
> computer configuration, "Nejaka nastaveni pro ucebnu" modify only 
> computer configuration. 
> Permissions for "Nejaka nastaveni pro ucebnu": 
> - Authenticated Users - Read (from Security Filtering) - Not Inherited 
> - Domain Admins - Edit settings, delete, modify security - Not Inherited 
> - Enterprise Admins - Edit settings, delete, modify security - Not Inherited 
> - ServerLogon - Read - Not Inherited 
> - SYSTEM - Edit settings, delete, modify security - Not Inherited 
> Here is result of GPRESULT /R command that ran on the Win8 VM. On 
> Windows XP, Computer Settings had N/A security groups - which is weird. 
> ===== 
> RSOP data for GYM\valachp on UC01-TEST : Logging Mode 
> ------------------------------------------------------ 
> OS Configuration: Member Workstation 
> OS Version: 6.2.9200 
> Site Name: N/A 
> Roaming Profile: N/A 
> Local Profile: C:\Users\valachp 
> Connected over a slow link?: No 
> COMPUTER SETTINGS 
> ------------------ 
> CN=UC01-TEST,OU=Ucebny,DC=gym,DC=internal 
> Last time Group Policy was applied: 29. 3. 2013 at 19:35:17 
> Group Policy was applied from: debian-server.gym.internal 
> Group Policy slow link threshold: 500 kbps 
> Domain Name: WINDOWS-UJ49S6B 
> Domain Type: WindowsNT 4 
> Applied Group Policy Objects 
> ----------------------------- 
> N/A 
> The following GPOs were not applied because they were filtered out 
> ------------------------------------------------------------------- 
> Local Group Policy 
> Filtering: Not Applied (Empty) 
> The computer is a part of the following security groups 
> ------------------------------------------------------- 
> System Mandatory Level 
> Everyone 
> BUILTIN\Users 
> NT AUTHORITY\SERVICE 
> CONSOLE LOGON 
> NT AUTHORITY\Authenticated Users 
> This Organization 
> BDESVC 
> BITS 
> CertPropSvc 
> DsmSvc 
> Eaphost 
> hkmsvc 
> IKEEXT 
> iphlpsvc 
> LanmanServer 
> MMCSS 
> MSiSCSI 
> NcaSvc 
> RasAuto 
> RasMan 
> RemoteAccess 
> Schedule 
> SCPolicySvc 
> SENS 
> SessionEnv 
> SharedAccess 
> ShellHWDetection 
> SystemEventsBroker 
> wercplsupport 
> Winmgmt 
> wlidsvc 
> wuauserv 
> LOCAL 
> BUILTIN\Administrators 
> USER SETTINGS 
> -------------- 
> CN=Pavel Valach,CN=Users,DC=gym,DC=internal 
> Last time Group Policy was applied: 29. 3. 2013 at 19:35:17 
> Group Policy was applied from: debian-server.gym.internal 
> Group Policy slow link threshold: 500 kbps 
> Domain Name: GYM 
> Domain Type: Windows 2000 
> Applied Group Policy Objects 
> ----------------------------- 
> Default Domain Policy 
> Zásady pro studenty 
> The following GPOs were not applied because they were filtered out 
> ------------------------------------------------------------------- 
> Local Group Policy 
> Filtering: Not Applied (Empty) 
> The user is a part of the following security groups 
> --------------------------------------------------- 
> Domain Users 
> Everyone 
> BUILTIN\Users 
> NT AUTHORITY\INTERACTIVE 
> CONSOLE LOGON 
> NT AUTHORITY\Authenticated Users 
> This Organization 
> LOCAL 
> Studenti 
> Medium Mandatory Level 
> ===== 
> Well, I think that's enough for now... I'd very appreciate if someone 
> could take a look at this. I hope it's just me overlooking something so 
> simple. 
> If you need any other information, please let me know. 
> Thanks and best regards 
> -Pavel 
> -- 
> To unsubscribe from this list go to the following URL and read the 
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list