[Samba] Rebuid the Corrupt default Group Policy

Anantha Raghava raghav at exzatechconsulting.com
Fri Jul 7 09:14:40 UTC 2017 

Hello Rowland,

Thank you very much.  Give me two days of time.  Will test it here in my
setup and give you feedback.

Regards,

Ananth

On 7 Jul 2017 2:39 p.m., "Rowland Penny" <rpenny at samba.org> wrote:

> On Fri, 7 Jul 2017 05:29:30 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>
> > Hello Marc,
> >
> > > Hi Anantha,
> > >
> > > Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
> > >> Is there any way we can rebuild corrupt Default Domain Policy and
> > >> Default Domain Controller Policy.
> > > What is broken?
> > Entire Default Domain and Default Domain Controller Policies along
> > with other Polices that we had built are broken.
>
> I have written a bash script that should do what you need and I have
> attached a copy. I haven't tested it (never had need to), but it
> should work, it is just a bash interpretation of the python code used
> during provision.
> It was written on Devuan (Debian without systemd), so if you are using
> some other OS, or have moved sysvol (not a good idea), then you may
> need to tweak it.
>
> > >> In windows AD we can use dcgpofix utility to recreate the Default
> > >> Domain and Domain Controller Policies. Something similar available
> > >> in Samba AD DC?
> > > You can recover the files from your backup and to reset
> > > Sysvol/directory ACLs, run
> > > # samba-tool ntacl sysvolreset
> > I believe, samba-tool ntacl sysvolreset does not function the manner
> > in which it is supposed to. I have seen many discussions on this.
>
> The problem with sysvolreset isn't so much with the default policies,
> it is with any extra policies you might add, this is further compounded
> by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own
> directories in the extra policies added, it cannot do this if it has a
> gidNumber, this is because it is then only a group and a group in Unix
> cannot own anything.
>
> In your case, after you have recreated sysvol, I would run sysvolreset,
> then add your other policies and then never run sysvolrest again.
>
> Rowland
>
>

More information about the samba mailing list