[Samba] Deploy software in fileserver folder
Denis Cardon
dcardon at tranquil.it
Fri Jan 12 11:19:27 UTC 2018
Hi Elias,
> Hello Denis, thanks for the answer!!!
>
> so for accessing a share on the file server, you'll need to add read
> rights for "domain computers" group
>
>
> Is this read permission for the domain computer I need to configure in
> the deploy software GPO, sharing folder or both?
When you create GPO through RSAT it will set the proper rights on the
sysvol share. If you messed up with your rights, then use samba-tool
ntacl sysvolcheck / sysvolreset.
On the other hand, you'll have to properly set up the rights on your
file share with "domain computer" read privileges.
>
> psexec -i -s cmd
> net use F: \\server\sharename
> dir f:
>
>
> At first I was able to execute the commands above. At first I had to run
> a cmd with adm privileges, because in the normal user it was denied
> access. After that the mapping worked and I got the access in F:
Yes, you'll need elevated privileges to run this command. You can check
if you you have enough privileges using the command below. In the
listing, you should have "High Mandatory Level" at the end of the list.
whoami /groups
But anyway, I'd say it is not a friendly move from me to help you fix
that, you should really look into a software deployement solution, it
will make your life much easier! :-)
Cheers,
Denis
>
>
>
> On Thu, Jan 11, 2018 at 2:06 PM, Denis Cardon <dcardon at tranquil.it
> <mailto:dcardon at tranquil.it>> wrote:
>
> Hi Elias,
>
> I thought it worked, but after I uninstalled the software that I
> deployed
> via user scope, it did not reinstall. I selected the "Redeploy
> application"
> option, but it also did not work.
>
>
> The user scope GPO are run with the privileges and access tokens of
> the logged on user, so the user have local admin rights for install
> and need access rights to the share you are putting your
> installation files (read rights for "domain users" group for example).
>
> The computer scope GPO are run with maximum privileges using
> LocalSystem account. LocalSystem has access to machine kerberos
> credentials, so for accessing a share on the file server, you'll
> need to add read rights for "domain computers" group. You can check
> that your computer account can connect to a share by login in as
> LocalSystem using psexec:
> psexec -i -s cmd
> net use F: \\server\sharename
> dir f:
>
> Any way, you'd be better at using a software deployment solution for
> that task (GPO are really not good at that, even Microsoft would
> advise you to use ConfigMgr/SCCM). I'm partial on that point as I'm
> one of the developers, but I'd advise you to check out WAPT [2].
>
> Cheers,
>
> Denis
>
> [1] https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
> <https://docs.microsoft.com/en-us/sysinternals/downloads/pstools>
> [2] https://wapt.fr/en
>
>
>
> I read that in the user scope there are 2 installation options:
>
> - Deployed to User, Assigned Software - Not installed until the
> default is
> opened in the Programs Folder in the Start Menu.
> - Deploy to User, Published Software - Not installed until
> initiated to be
> installed from the "Programs and Features".
>
> I used both options and it was not installed either.
>
> I want to try to install via computer scope and into a
> fileserver folder
> because of disk space in AD.
>
> Is there any other way to set this up?
>
>
> On Thu, Jan 11, 2018 at 8:48 AM, Elias Pereira
> <empbilly at gmail.com <mailto:empbilly at gmail.com>> wrote:
>
> Hey Luke, thanks for the help!!! It's working now!!!
>
> God bless you and your family!! :D
>
> Remember that GPOs need to run as the context of either the
> computer or
>
> the user. Computers typically do not have access to many
> folders on a file
> server, even as "Everyone". That is why the NETLOGON
> folder works.
>
> If you're deploying as a USER configuration, then it
> should run as the
> context of the user, meaning the Everyone permission
> would work.
>
>
> On Wed, Jan 10, 2018 at 6:07 PM, Elias Pereira
> <empbilly at gmail.com <mailto:empbilly at gmail.com>> wrote:
>
> Luke,
>
> I'm running via computer scope and I believe that's the
> problem. Later I
> will test and give a return if that was the detail.
>
>
> Em 10 de jan de 2018 15:47, "Luke Barone"
> <lukebarone at gmail.com <mailto:lukebarone at gmail.com>>
> escreveu:
>
> Which GPO? Computer or User Configuration?
>
> Remember that GPOs need to run as the context of either
> the computer or
> the user. Computers typically do not have access to many
> folders on a file
> server, even as "Everyone". That is why the NETLOGON
> folder works.
>
> If you're deploying as a USER configuration, then it
> should run as the
> context of the user, meaning the Everyone permission
> would work.
>
> On Wed, Jan 10, 2018 at 9:45 AM, Elias Pereira
> <empbilly at gmail.com <mailto:empbilly at gmail.com>>
> wrote:
>
> Sorry for a lack of information. I'm using GPOs for
> deploy the software.
>
> Em 10 de jan de 2018 3:00 PM, "Luke Barone"
> <lukebarone at gmail.com <mailto:lukebarone at gmail.com>>
> escreveu:
>
> How are you deploying the software? You've given us
> very little
>
> On Jan 10, 2018 7:01 AM, "Elias Pereira via samba" <
> samba at lists.samba.org
> <mailto:samba at lists.samba.org>> wrote:
>
> I tested putting "everyone" with full permission
> on the folder, but
> still
> the software deploy does not work.
>
> Any idea?
>
> On Tue, Jan 9, 2018 at 11:37 AM, Elias Pereira
> <empbilly at gmail.com <mailto:empbilly at gmail.com>>
> wrote:
>
> Hello list,
>
> I tried to set up a folder on our fileserver
> domain member, so I can
> deploy software for users' machines, but is
> not working.
>
> If I put the software inside "netlogon" it
> installs correctly.
>
> \\172.16.1.7\storage\programs
>
> Auth Users - read & execute, list folder
> contents, read and write
>
> Do I need other permissions?
>
> --
> Elias Pereira
>
>
>
>
> --
> Elias Pereira
> --
> To unsubscribe from this list go to the
> following URL and read the
> instructions:
> https://lists.samba.org/mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>
>
>
>
>
>
>
>
> --
> Elias Pereira
>
>
>
>
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
> http://www.tranquil-it-systems.fr <http://www.tranquil-it-systems.fr>
>
>
>
>
> --
> Elias Pereira
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list