[Samba] Problems with GPO
Rowland Penny
rpenny at samba.org
Thu Nov 3 15:59:07 UTC 2016
On Thu, 3 Nov 2016 10:25:00 -0400
lingpanda101 via samba <samba at lists.samba.org> wrote:
> On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote:
> > Thanks Lingpanda101
> >
> > Following the result of command:
> >
> > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}
> > # owner: 10060
> > # group: 30028
> > user::rwx
> > user:10060:rwx
> > user:3000002:rwx
> > user:3000010:r-x
> > group::rwx
> > group:30028:rwx
> > group:30032:r-x
> > group:30033:rwx
> > group:3000002:rwx
> > group:3000010:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:10060:rwx
> > default:user:3000002:rwx
> > default:user:3000010:r-x
> > default:group::---
> > default:group:30028:rwx
> > default:group:30032:r-x
> > default:group:30033:rwx
> > default:group:3000002:rwx
> > default:group:3000010:r-x
> > default:mask::rwx
> > default:other::---
> >
> >
> >
> > Regards,
> >
> > Márcio
> >
> > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba
> > <samba at lists.samba.org <mailto:samba at lists.samba.org>>:
> >
> > On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote:
> >
> > I'm having problems with GPO in Samba 4.2.1
> >
> > I created a GPO to Block Control Panel and applied in my
> > Domain OU.
> >
> > In desktop client I typed "gpupdate /force" and appear a
> > success message
> > that to ask reboot my system. After rebuot the GPO don't
> > work.
> >
> > Other GPOs as WSUS update, Wallpaper and others, don't work
> > too.
> >
> >
> > Following is the result of command: GPRESULT /H
> > GPResult.html
> >
> > GPOs Applied
> > Name Location Link Revision
> > Default Domain Policy empresa.com.br
> > <http://empresa.com.br> AD (1), Sysvol (65535)
> >
> > GPOs Denied
> > Name Location Link Denial Reason
> > Local Group Policies Location EMPTY
> > {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
> > <http://empresa.com.br>
> > Inacessible
> > {D65C5B66-A380-48AD-AC8A-DE417173E293}
> > empresa.comb.br/EMPRESA/SecInfor
> > <http://empresa.comb.br/EMPRESA/SecInfor>
> > Inacessible
> > Wallpaper empresa.comb.br/EMPRESA/SecInfor
> > <http://empresa.comb.br/EMPRESA/SecInfor> Inacessible
> >
> > How can I debug this problem ?
> >
> > Regards,
> >
> > Márcio
> >
> >
> > The denial reason Inaccessible usually refers to a permissions
> > problem. Verify your user and or computer the GPO applies to has
> > the correct permissions. Can you run 'getfacl
> > /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the
> > results?
> >
> > --
> > - James
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read
> > the instructions: https://lists.samba.org/mailman/options/samba
> > <https://lists.samba.org/mailman/options/samba>
> >
> >
> I see you have given some users and groups a UID. Can you tell me the
> results of
>
> wbinfo --uid-info=10060
> wbinfo --uid-info=30028
> wbinfo --uid-info=30032
> wbinfo --uid-info=10060
> wbinfo --uid-info=30033
>
> I don't see user:3000003 which I believe is Authenticated Users. Did
> you give this group a UID?
>
>
>
Seeing as this is not one of the two std GPOs, you have a problem. When
you create a GPO, the owners are Domain Admins and the group is Domain
Admins, so who is '10060' and what is '30028' ?
Rowland
More information about the samba
mailing list