[Samba] Fixing sysvol permissions

Mark Foley mfoley at ohprs.org
Mon Jun 18 16:34:12 UTC 2018 

On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle wrote:
>
> > OK, Everyone is currently set to FULL CONTROL. I'll set that to READ.
>
> Ai, now... Nobody can write over the share, pc's wil complain. 
> Some GPO setting will stop working. 

But, when I ran your samba-check-set-sysvol.sh script it told me to set EVERYONE: READ. See
below:

> > $ ./samba-check-set-sysvol.sh
> > Review the file : default-rights-sysvol.acl, these contains 
> > the defaults for sysvol.
> > The sysvol ACLS info.....                                                                  
> > 
> > Please check your share rights for sysvol from within windows.
> > If these are incorrect, correct them and run this script again.
> > Set your sysvol SHARE permissions as followed.
> > EVERYONE: READ              <----------------------------------
> > Authenticated Users: FULL CONTROL
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> > User/Group system is added compaired to a win2008R2 sysvol, 
> > you need this for some GPO
> > settings.
> > 
> > Set your sysvol FOLDER permissions as followed.
> > Authenticated Users: Read & Exec, Show folder content, Read
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL

Perhaps I'm confusing Folder permissions and Share permissions.

> Look here, and setup like that. 
> https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th

Problem: On that link, step 2 "Check whether the Listobject permission is set for the
Authenticated Users group and whether the Authenticated Users group is missing from the
Delegation tab of the Group Policy Object."  When I edit 'Authenticated Users', I don't have
that "Default Domain Controllers Policy" dialog. Or if I do, that link doesn't tell me how to
get there.

Let me list everything I've got:

sysvol FOLDER Permissions:

CREATOR OWNER 
special
(Advanced) Subfolders and files only
Full Control - everything is checked)
(apply these permissions to objects and/or containers ... not checked)

CREATOR GROUP Subfolders and files only
special
(Advanced) Subfolders and files only
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
(apply these permissions to objects and/or containers ... not checked)

Authenticated Users
Read & Execute
List folder contents
Read
(Advanced) This folder, Subfolders and files
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
(apply these permissions to objects and/or containers ... not checked)

SYSTEM
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
(apply these permissions to objects and/or containers ... not checked)

Administrators (HPRS\Administrators)
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
(apply these permissions to objects and/or containers ... not checked)

sysvol SHARE Permissions:

EVERYONE: READ
Authenticated Users: FULL CONTROL
HPRS\Administrators: FULL CONTROL
SYSTEM, FULL CONTROL

Does this look correct? Is this what you have?

Nevertheless, when I try to log into a workstation as a domain user I still do not get that
user's desktop. In the Windows eventlog Windows Logs > System, I get Event 1906 error,
GroupPolicy:

Error Description: Access is denied.
GPOCName: LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=policies,cn=system,DC=hprs,DC=local
FilePath: \\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-9185-DCD1AB359A3B}\User\registry.pol

This is driving me crazy!

--Mark

More information about the samba mailing list