me at tdiehl.org
2021-Feb-01 15:41 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On Fri, 29 Jan 2021, Rowland penny via samba wrote:> On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote: >> >> On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote: >>> 2) samba-tool sysvol reset on dc with FSMO. (dc1) >> >> On the SambaWiki for Sysvolreset it states: >> >> ????Advice via mailing list (as of May 2018) >> >> ????(courtesy of Rowland Penny) >> >> ????If you have added any custom GPOs, never ever use >> ????sysvolcheck or sysvolreset >> >> I have GPO's for drive mapping and screen background. >> I'd assume they qualify as "custom" >> >> Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'? >> > OK, I have updated that wikipage, it now says: > > If you have added any custom GPOs and given Domain Admins a gidNumber > attribute, never ever use sysvolcheck or sysvolreset, this because this turns > the windows group into a Unix group. > ''(You are now probably thinking 'what?', a group is just a group, right ? > Well, no, a Windows group can do something that no Unix group can, it can own > files and directories and guess what needs to own files and directories in > sysvol ??)'' > > > If you have added any GPO's and haven't given Domain Admins a gidNumber > attribute, then you can run sysvolreset.What about the case where you have custom GPO's but have NOT given Domain Admins a gidNumber? For instance after you join a new DC to the domain. Regards, -- Tom me at tdiehl.org
Rowland penny
2021-Feb-01 15:54 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On 01/02/2021 15:41, me at tdiehl.org wrote:> On Fri, 29 Jan 2021, Rowland penny via samba wrote: > >> On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote: >>> >>> ?On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote: >>>> ?2) samba-tool sysvol reset on dc with FSMO. (dc1) >>> >>> ?On the SambaWiki for Sysvolreset it states: >>> >>> ?????Advice via mailing list (as of May 2018) >>> >>> ?????(courtesy of Rowland Penny) >>> >>> ?????If you have added any custom GPOs, never ever use >>> ?????sysvolcheck or sysvolreset >>> >>> ?I have GPO's for drive mapping and screen background. >>> ?I'd assume they qualify as "custom" >>> >>> ?Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'? >>> >> OK, I have updated that wikipage, it now says: >> >> If you have added any custom GPOs and given Domain Admins a gidNumber >> attribute, never ever use sysvolcheck or sysvolreset, this because >> this turns the windows group into a Unix group. >> ''(You are now probably thinking 'what?', a group is just a group, >> right ? Well, no, a Windows group can do something that no Unix group >> can, it can own files and directories and guess what needs to own >> files and directories in sysvol ??)'' >> >> >> If you have added any GPO's and haven't given Domain Admins a >> gidNumber attribute, then you can run sysvolreset. > > What about the case where you have custom GPO's but have NOT given > Domain Admins > a gidNumber? For instance after you join a new DC to the domain. > > Regards, >I don't really understand that, if you join a new DC to a domain where Domain Admins has a gidNumber, then Domain Admins on the new DC will have a gidNumber, but if Domain Admins doesn't have a gidNumber in the domain, then Domain Admins will not have a gidNumber? on the new DC. Rowland