[Samba] GPOs not Working!

Robert Marcano robert at marcanoonline.com
Wed Feb 7 02:18:41 UTC 2018


On 02/06/2018 03:24 PM, L.P.H. van Belle via samba wrote:
> ok,
> 
> do the following.
> set ignore systemacl to yes on sysvol and netlogon.

Added "acl_xattr:ignore system acls = yes" to both shares, restarted the 
server

> 
> login as dom\administrator
> computer manager, connect to dc.
> share sysvol, goto share security, reset to defalts.
> same for folder.

I don't get the "Reset to defaults" option. There are two security 
related tabs, "Permission of shared resources" (or something like that, 
Windows is not in English) with only permissions for Everyone with Full 
control, Change and Read.

The other tab is the standard "Security" tab, those tabs don't show any 
reset to default option

> 
> goto gpo manager,
> klik on every gpo object, if one has wrong acl, you get a message to reset it, thats ok.
> 
> now never samba-tool sysvol reset
> if you do, you might need to set share/file security again.
> 
> Greetz
> Louis
> 
> p.s rowland, now you can change the default gpo’s also.
> 
> 
> 
>> Op 6 feb. 2018 om 20:14 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven:
>>
>> On Tue, 6 Feb 2018 15:03:16 -0400
>> Robert Marcano via samba <samba at lists.samba.org> wrote:
>>
>>> Thanks for the information, to use a default GPO was a simple way to
>>> try to encourage someone to reproduce the problem.
>>>
>>> I already created new GPOs (this is a test domain) Using the default
>>> filter for a new GPO, "Authenticated users", creating a new group for
>>> the test clients and using that as the filter, checking it have the
>>> right permissions (apply), checking every guide about applying GPO to
>>> computers. Using OUs and using domain level GPOs.
>>>
>>> What I find weird is that gpresult doesn't list the computer as a
>>> member of groups I create, only a few predefined ones:
>>>
>>>    NULL SID
>>>    NT AUTHORITY\NETWORK,
>>>    This company,
>>>    and something like "mandatory level of no trust" (Windows is not in
>>> english)
>>>
>>
>> Do not alter the two default GPOs, it doesn't work ;-)
>>
>> Creating new GPOs should work, just do not run sysvolreset after
>> creating them.
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
> 




More information about the samba mailing list