Hai Sam, Try the following, 1 ) ignore these messages :> If I create a new GPO The "samba-tool ntacl sysvolcheck" command return > this error :>root at S4:~# samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - > .....2) add this line to you sysvol share acl_xattr:ignore system acls = yes No other os then windows uses this share normaly so its safe to Ignore the systems rights. 3) and check from within windows the sysvol share rights and the sysvol folder rights. DO NOT CHANGE ANYTHING. Now it works.. ;-) If not 4) give group "Domain Users" a GID Test again, Now it works. If not... Pff, mail us again. ;-) something else is wrong. Greetz, Louis
Hi Louis! :) I just see something strange... Until now, I linked my GPO on the OU=Computers and it was not working... But If I link my GPO on the whole domain it's working... ( but the gpo applies to all... ) Le 18/02/2016 15:29, L.P.H. van Belle a écrit :> Hai Sam, > > Try the following, > > 1 ) ignore these messages : >> If I create a new GPO The "samba-tool ntacl sysvolcheck" command return > this error : >> root at S4:~# samba-tool ntacl sysvolcheck >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - >> ..... > > 2) add this line to you sysvol share > acl_xattr:ignore system acls = yes > > No other os then windows uses this share normaly so its safe to > Ignore the systems rights.It was already done with your script ;)> > 3) and check from within windows the sysvol share rights and the sysvol folder rights.I have 4 groups with at least read/execute access right ( authentified users, system, administrators, server operators )> > DO NOT CHANGE ANYTHING. > > Now it works.. ;-) > > If not > > 4) give group "Domain Users" a GIDI'm not sure to well understand, could you explain?> > > Test again, > Now it works. > > If not... > Pff, mail us again. ;-) something else is wrong. > > > Greetz, > > Louis > > >Many thanks! See you. Sam
Hai Sam. Ah, but that is not error. ;-) Thas a design flaw or missing some knowledge. So. .. . ;-) have read. Some good references i also use. Basic needs to understand: Group Policy Basics ? Part 1: Understanding the Structure of a GPO https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ Group Policy Basics ? Part 2: Understanding Which GPOs to Apply https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/ for a quick start to fix your problem. http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1.html http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2.html http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part3.html and yes, its worth the read. I had some flaws also, and after reading all above i've fixed my flaws. There is no direct fix to explain because no network is the same. I'll think you manage it. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sam> Verzonden: donderdag 18 februari 2016 16:08> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Gpo issue>> Hi Louis! :)>> I just see something strange...> Until now, I linked my GPO on the OU=Computers and it was not working...> But If I link my GPO on the whole domain it's working... ( but the gpo> applies to all... )>>> Le 18/02/2016 15:29, L.P.H. van Belle a écrit :> > Hai Sam,> >> > Try the following,> >> > 1 ) ignore these messages :> >> If I create a new GPO The "samba-tool ntacl sysvolcheck" command return> > this error :> >> root at S4:~# samba-tool ntacl sysvolcheck> >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception> -> >> .....> >> > 2) add this line to you sysvol share> > acl_xattr:ignore system acls = yes> >> > No other os then windows uses this share normaly so its safe to> > Ignore the systems rights.> It was already done with your script ;)> >> > 3) and check from within windows the sysvol share rights and the sysvol> folder rights.> I have 4 groups with at least read/execute access right ( authentified> users, system, administrators, server operators )> >> > DO NOT CHANGE ANYTHING.> >> > Now it works.. ;-)> >> > If not> >> > 4) give group "Domain Users" a GID> I'm not sure to well understand, could you explain?>> >> >> > Test again,> > Now it works.> >> > If not...> > Pff, mail us again. ;-) something else is wrong.> >> >> > Greetz,> >> > Louis> >> >> >> Many thanks!> See you.>> Sam>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
To be precise I try to launch a small exe with a msgbox. I'm using gpo user logon script side. but all that I store in this OU are computers. Does it mismatch? Sam -------- Message transféré -------- Sujet : Re: [Samba] Gpo issue Date : Thu, 18 Feb 2016 16:08:19 +0100 De : Sam <sr42354 at gmail.com> Pour : samba at lists.samba.org <samba at lists.samba.org> Hi Louis! :) I just see something strange... Until now, I linked my GPO on the OU=Computers and it was not working... But If I link my GPO on the whole domain it's working... ( but the gpo applies to all... ) Le 18/02/2016 15:29, L.P.H. van Belle a écrit :> Hai Sam, > > Try the following, > > 1 ) ignore these messages : >> If I create a new GPO The "samba-tool ntacl sysvolcheck" command return > this error : >> root at S4:~# samba-tool ntacl sysvolcheck >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - >> ..... > > 2) add this line to you sysvol share > acl_xattr:ignore system acls = yes > > No other os then windows uses this share normaly so its safe to > Ignore the systems rights.It was already done with your script ;)> > 3) and check from within windows the sysvol share rights and the sysvol folder rights.I have 4 groups with at least read/execute access right ( authentified users, system, administrators, server operators )> > DO NOT CHANGE ANYTHING. > > Now it works.. ;-) > > If not > > 4) give group "Domain Users" a GIDI'm not sure to well understand, could you explain?> > > Test again, > Now it works. > > If not... > Pff, mail us again. ;-) something else is wrong. > > > Greetz, > > Louis > > >Many thanks! See you. Sam
Missed your replies, sorry about that, so the answeres on that.> > 3) and check from within windows the sysvol share rights and the sysvol > folder rights. > I have 4 groups with at least read/execute access right ( authentified > users, system, administrators, server operators )Yes, correct, this is the default, keep it, normaly its not needed to change anything here. Other users need to change/create policies. For that you have the "Group Policy Creator Owners" for example.> > 4) give group "Domain Users" a GID > I'm not sure to well understand, could you explain?You can give the domain user a GID, in ADUC , unit tab. But .. if it now works, only add it if you need it. And this is based on the backend AD. If you use RID, you already have a GID For "Domain Users" Only one tip i can give for a GPO setup. Think good about it before implementing it and start simple. And be aware of IE11, for that you need extra tools these days. Greetz, Louis