[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
Rowland penny
rpenny at samba.org
Fri Jan 29 15:53:12 UTC 2021
On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote:
>
> On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote:
>> 2) samba-tool sysvol reset on dc with FSMO. (dc1)
>
> On the SambaWiki for Sysvolreset it states:
>
> Advice via mailing list (as of May 2018)
>
> (courtesy of Rowland Penny)
>
> If you have added any custom GPOs, never ever use
> sysvolcheck or sysvolreset
>
> I have GPO's for drive mapping and screen background.
> I'd assume they qualify as "custom"
>
> Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'?
>
OK, I have updated that wikipage, it now says:
If you have added any custom GPOs and given Domain Admins a gidNumber
attribute, never ever use sysvolcheck or sysvolreset, this because this
turns the windows group into a Unix group.
''(You are now probably thinking 'what?', a group is just a group, right
? Well, no, a Windows group can do something that no Unix group can, it
can own files and directories and guess what needs to own files and
directories in sysvol ??)''
If you have added any GPO's and haven't given Domain Admins a gidNumber
attribute, then you can run sysvolreset.
Rowland
More information about the samba
mailing list