Sébastien Le Ray
2016-Mar-19 07:16 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Le 18/03/2016 20:58, lingpanda101 at gmail.com a écrit :> On 3/18/2016 2:15 PM, Sébastien Le Ray wrote: >> >> >>> >>> Are you using Item level targeting in your GPO? >>> >> >> No > > When this error happens, can you confirm if you can manually navigate > to the file? Open file explorer and enter the UNC path. > > ie. \\domain\sysvol\domain\Policies\SomeGUID\gpt.ini > > On the workstation having the issue.Yes but in that case I'm not using the machine account anymore but the currently logged in user account. That's why I guess it is related to some machine account configuration issue but I can find no way to test machine account access…
> Am 19.03.2016 um 08:16 schrieb Sébastien Le Ray <sebastien-samba at orniz.org>: > > Yes but in that case I'm not using the machine account anymore but the currently logged in user account. That's why I guess it is related to some machine account configuration issue but I can find no way to test machine account access…psexec -i -s cmd.exe must be run as admin will open a new window try there: echo %username% looks like machine account hope this helps, Klaus -- Message sent from a mobile device, please excuse brevity and typos
Sébastien Le Ray
2016-Mar-21 09:44 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Le 20/03/2016 17:03, Klaus Hartnegg a écrit :>> Am 19.03.2016 um 08:16 schrieb Sébastien Le Ray <sebastien-samba at orniz.org>: >> >> Yes but in that case I'm not using the machine account anymore but the currently logged in user account. That's why I guess it is related to some machine account configuration issue but I can find no way to test machine account access… > psexec -i -s cmd.exe > must be run as admin > will open a new window > try there: > echo %username% > looks like machine accountHi, This gives me the machine account name which I already know. BUT I used pushd \\path\to\sysvol in the spawned cmd.exe and I successfully mounted the supposedly unreadable share (tries all 5 DCs) and type'd the GPT.ini If someone has any further investigation track, I'll take it Regards
L.P.H. van Belle
2016-Mar-21 14:53 UTC
[Samba] Permission denied on GPT.ini (Event ID 1058)
Hai,
Today i had a "about" same problem.
Check the following.
1) Get the Policy id ( like ": {78732DBF-5381-497B-9B25-00A278270A1F}
from
PATH_TO_SYSVOL_FOLDER/Policies/
2) run getfacl on the folder like :
getfacl \{78751DBF-5381-497B-9B25-00A278270A1F\}/
here in my case i noticed the following.
I had a user set on one specific policie, i changed that users to a newly
created group.
After looking with getfacl i noticed, that the user was still on GPT.INI
and not the group.
Reculting in the Permission denied on GPT.ini.
For now i fixed it by getting setting the inheritance of the folder to the files
again.
Resume what i think and others must test also.
When creating the policy for the first time it sets the correct U+G rights.
After changing this, not.
Other quick fix is, add the computer($) to the group.
I hope people know what i mean, if not, ask me.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le
Ray
> Verzonden: maandag 21 maart 2016 10:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>
>
>
> Le 20/03/2016 17:03, Klaus Hartnegg a écrit :
> >> Am 19.03.2016 um 08:16 schrieb Sébastien Le Ray <sebastien-
> samba at orniz.org>:
> >>
> >> Yes but in that case I'm not using the machine account anymore
but the
> currently logged in user account. That's why I guess it is related to
some
> machine account configuration issue but I can find no way to test machine
> account access?
> > psexec -i -s cmd.exe
> > must be run as admin
> > will open a new window
> > try there:
> > echo %username%
> > looks like machine account
>
> Hi,
>
> This gives me the machine account name which I already know.
>
> BUT I used pushd \\path\to\sysvol in the spawned cmd.exe and I
> successfully mounted the supposedly unreadable share (tries all 5 DCs)
> and type'd the GPT.ini
>
> If someone has any further investigation track, I'll take it
>
> Regards
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba