Marco Shmerykowsky
2021-Jan-29 15:36 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote:> 2) samba-tool sysvol reset on dc with FSMO. (dc1)On the SambaWiki for Sysvolreset it states: Advice via mailing list (as of May 2018) (courtesy of Rowland Penny) If you have added any custom GPOs, never ever use sysvolcheck or sysvolreset I have GPO's for drive mapping and screen background. I'd assume they qualify as "custom" Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'?
Rowland penny
2021-Jan-29 15:53 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote:> > On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote: >> 2) samba-tool sysvol reset on dc with FSMO. (dc1) > > On the SambaWiki for Sysvolreset it states: > > ????Advice via mailing list (as of May 2018) > > ????(courtesy of Rowland Penny) > > ????If you have added any custom GPOs, never ever use > ????sysvolcheck or sysvolreset > > I have GPO's for drive mapping and screen background. > I'd assume they qualify as "custom" > > Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'? >OK, I have updated that wikipage, it now says: If you have added any custom GPOs and given Domain Admins a gidNumber attribute, never ever use sysvolcheck or sysvolreset, this because this turns the windows group into a Unix group. ''(You are now probably thinking 'what?', a group is just a group, right ? Well, no, a Windows group can do something that no Unix group can, it can own files and directories and guess what needs to own files and directories in sysvol ??)'' If you have added any GPO's and haven't given Domain Admins a gidNumber attribute, then you can run sysvolreset. Rowland
me at tdiehl.org
2021-Feb-01 15:41 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On Fri, 29 Jan 2021, Rowland penny via samba wrote:> On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote: >> >> On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote: >>> 2) samba-tool sysvol reset on dc with FSMO. (dc1) >> >> On the SambaWiki for Sysvolreset it states: >> >> ????Advice via mailing list (as of May 2018) >> >> ????(courtesy of Rowland Penny) >> >> ????If you have added any custom GPOs, never ever use >> ????sysvolcheck or sysvolreset >> >> I have GPO's for drive mapping and screen background. >> I'd assume they qualify as "custom" >> >> Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'? >> > OK, I have updated that wikipage, it now says: > > If you have added any custom GPOs and given Domain Admins a gidNumber > attribute, never ever use sysvolcheck or sysvolreset, this because this turns > the windows group into a Unix group. > ''(You are now probably thinking 'what?', a group is just a group, right ? > Well, no, a Windows group can do something that no Unix group can, it can own > files and directories and guess what needs to own files and directories in > sysvol ??)'' > > > If you have added any GPO's and haven't given Domain Admins a gidNumber > attribute, then you can run sysvolreset.What about the case where you have custom GPO's but have NOT given Domain Admins a gidNumber? For instance after you join a new DC to the domain. Regards, -- Tom me at tdiehl.org