[Samba] Fixing sysvol permissions
Mark Foley
mfoley at ohprs.org
Mon Jun 18 16:34:12 UTC 2018
On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle wrote:
>
> > OK, Everyone is currently set to FULL CONTROL. I'll set that to READ.
>
> Ai, now... Nobody can write over the share, pc's wil complain.
> Some GPO setting will stop working.
But, when I ran your samba-check-set-sysvol.sh script it told me to set EVERYONE: READ. See
below:
> > $ ./samba-check-set-sysvol.sh
> > Review the file : default-rights-sysvol.acl, these contains
> > the defaults for sysvol.
> > The sysvol ACLS info.....
> >
> > Please check your share rights for sysvol from within windows.
> > If these are incorrect, correct them and run this script again.
> > Set your sysvol SHARE permissions as followed.
> > EVERYONE: READ <----------------------------------
> > Authenticated Users: FULL CONTROL
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> > User/Group system is added compaired to a win2008R2 sysvol,
> > you need this for some GPO
> > settings.
> >
> > Set your sysvol FOLDER permissions as followed.
> > Authenticated Users: Read & Exec, Show folder content, Read
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
Perhaps I'm confusing Folder permissions and Share permissions.
> Look here, and setup like that.
> https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th
Problem: On that link, step 2 "Check whether the Listobject permission is set for the
Authenticated Users group and whether the Authenticated Users group is missing from the
Delegation tab of the Group Policy Object." When I edit 'Authenticated Users', I don't have
that "Default Domain Controllers Policy" dialog. Or if I do, that link doesn't tell me how to
get there.
Let me list everything I've got:
sysvol FOLDER Permissions:
CREATOR OWNER
special
(Advanced) Subfolders and files only
Full Control - everything is checked)
(apply these permissions to objects and/or containers ... not checked)
CREATOR GROUP Subfolders and files only
special
(Advanced) Subfolders and files only
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
(apply these permissions to objects and/or containers ... not checked)
Authenticated Users
Read & Execute
List folder contents
Read
(Advanced) This folder, Subfolders and files
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
(apply these permissions to objects and/or containers ... not checked)
SYSTEM
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
(apply these permissions to objects and/or containers ... not checked)
Administrators (HPRS\Administrators)
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
(apply these permissions to objects and/or containers ... not checked)
sysvol SHARE Permissions:
EVERYONE: READ
Authenticated Users: FULL CONTROL
HPRS\Administrators: FULL CONTROL
SYSTEM, FULL CONTROL
Does this look correct? Is this what you have?
Nevertheless, when I try to log into a workstation as a domain user I still do not get that
user's desktop. In the Windows eventlog Windows Logs > System, I get Event 1906 error,
GroupPolicy:
Error Description: Access is denied.
GPOCName: LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=policies,cn=system,DC=hprs,DC=local
FilePath: \\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-9185-DCD1AB359A3B}\User\registry.pol
This is driving me crazy!
--Mark
More information about the samba
mailing list