[Samba] Permission Issues with GPO

mathias dufresne infractory at gmail.com
Tue Nov 17 12:30:13 UTC 2015 

Hey,

If your GPO are stored in AD (they are not template GPO with all GPO
information in some file, I think this kind of non-pure-AD GPO are stored
in ADMX files, not sure).
In GPMC.msc you have to define which entities would receive the GPO. Once
created the GPO, once it is set up, you have in the right panel two parts.
The bottom part is to define to whom this GPO would be applied.

In that case, GPO ownership should be reset by AD (don't asked me which
part of AD) if you modify GPO ACLs manually.

In clear: you must use GPMC.msc to manage GPO ACLs. This if they are not
template.

Hoping this could help to find a solution.

mathias

2015-11-17 4:04 GMT+01:00 Viktor Trojanovic <viktor at troja.ch>:

> I was experiencing problems with Group Policy Objects. The Windows Event
> Viewer spits out so many different errors, most of them less than helpful,
> so Iwas seeking help here with some of those messages.
>
> In the end, and after many hours and even days of researching this
> problem, I seem to have pin-pointed the main issue to some simple
> permission irregularities that I don't know how to solve.
>
> In my setup, I have an AD DC and a member server, the latter in the
> function of a file server. Both are a Samba-only implementation based on
> version 4.3.1 of the server.
>
> Everything seems to work well enough, I never noticed any issue when
> working in a user context - I can authenticate, and I can use the file
> server as intended. But evidently, any policies that require access to the
> file server in a machine context (computer configuration node of the GPO),
> fail. I was able to confirm that in multiple tests.
>
> I'm at my wit's end as it seems to me that all the necessary share
> permissions and NTACLs are in place. I even followed the advice I could
> find on some forum pages to add the group "domain computers" to the share
> permissions but that didn't help either.
>
> Any advice or best practices? I can't imagine this should be so
> complicated.
>
> Viktor
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list