Hello Sébastien Le Ray, The PC reply the following... The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one or more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results. On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <sebastien-samba at orniz.org> wrote:> Hi, > > Do you have any specific error message in Windows events log concerning > GPO? > > Regards > > > Le 24/07/2016 à 05:40, Min Wai Chan a écrit : > >> Dear All, >> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that GPO >> are having issue >> >> Specifically when I'm adding new using they *never *got the gpupdate >> >> success fully. >> >> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset >> >> But don't seem to got it fix.. >> >> Any suggestion? >> >> Thank in advance. >> >> #samba-tool ntacl sysvolcheck >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[dfs]" >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - >> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/ >> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} >> <http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D> >> >> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >> does not match expected value >> >> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >> from GPO object >> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", >> line >> 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line >> 249, in run >> lp) >> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", >> line 1730, in checksysvolacl >> direct_db_access) >> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", >> line 1681, in check_gpos_acl >> domainsid, direct_db_access) >> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", >> line 1628, in check_dir_acl >> raise ProvisioningError('%s ACL on GPO directory %s %s does not match >> expected value %s from GPO object' % (acl_type(direct_db_access), path, >> fsacl_sddl, acl)) >> >> Regards, >> Min Wai >> > >
Hi, That's look more like a gpupdate output than an event log entry :-) Le 24/07/2016 à 20:46, Min Wai Chan a écrit :> Hello Sébastien Le Ray, > > The PC reply the following... > > The processing of Group Policy failed. Windows could not resolve the user > name. This could be caused by one or more of the following: > a) Name Resolution failure on the current domain controller. > b) Active Directory Replication Latency (an account created on another > domain controller has not replicated to the current domain controller). > > The processing of Group Policy failed. Windows could not resolve the > computer name. This could be caused by one of more of the following: > a) Name Resolution failure on the current domain controller. > b) Active Directory Replication Latency (an account created on another > domain controller has not replicated to the current domain controller). > > To diagnose the failure, review the event log or run GPRESULT /H > GPReport.html from > the command line to access information about Group Policy results. > > On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <sebastien-samba at orniz.org >> wrote: >> Hi, >> >> Do you have any specific error message in Windows events log concerning >> GPO? >> >> Regards >> >> >> Le 24/07/2016 à 05:40, Min Wai Chan a écrit : >> >>> Dear All, >>> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that GPO >>> are having issue >>> >>> Specifically when I'm adding new using they *never *got the gpupdate >>> >>> success fully. >>> >>> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl sysvolreset >>> >>> But don't seem to got it fix.. >>> >>> Any suggestion? >>> >>> Thank in advance. >>> >>> #samba-tool ntacl sysvolcheck >>> Processing section "[netlogon]" >>> Processing section "[sysvol]" >>> Processing section "[dfs]" >>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - >>> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/ >>> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} >>> <http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D> >>> >>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>> does not match expected value >>> >>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>> from GPO object >>> File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", >>> line >>> 175, in _run >>> return self.run(*args, **kwargs) >>> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line >>> 249, in run >>> lp) >>> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", >>> line 1730, in checksysvolacl >>> direct_db_access) >>> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", >>> line 1681, in check_gpos_acl >>> domainsid, direct_db_access) >>> File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", >>> line 1628, in check_dir_acl >>> raise ProvisioningError('%s ACL on GPO directory %s %s does not match >>> expected value %s from GPO object' % (acl_type(direct_db_access), path, >>> fsacl_sddl, acl)) >>> >>> Regards, >>> Min Wai >>> >>
Dear Sébastien,
Sorry for the delay,
Please check on the log below.
As for the word "存取被拒。" it should translate to Access Deny...
Please help.
- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
<Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
<EventID>1055</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="*2016-08-03T02:25:58.236569500Z*" />
<EventRecordID>237427</EventRecordID>
<Correlation
ActivityID="*{20A9F83F-172B-4F62-8B1A-5732474FD71D}*" />
<Execution ProcessID="*1156*" ThreadID="*1872*" />
<Channel>System</Channel>
<Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
<Security UserID="*S-1-5-18*" />
</System>
- <EventData>
<Data Name="*SupportInfo1*">1</Data>
<Data Name="*SupportInfo2*">2052</Data>
<Data Name="*ProcessingMode*">0</Data>
<Data Name="*ProcessingTimeInMilliseconds*">3495</Data>
<Data Name="*ErrorCode*">5</Data>
<Data Name="*ErrorDescription*">存取被拒。</Data>
</EventData>
</Event>
- <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
<http://schemas.microsoft.com/win/2004/08/events/event>*">
- <System>
<Provider Name="*Microsoft-Windows-GroupPolicy*" Guid="
*{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" />
<EventID>1053</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="*2016-08-03T02:25:58.220969800Z*" />
<EventRecordID>237426</EventRecordID>
<Correlation
ActivityID="*{81CBE41A-C06F-4C33-9A59-DA9418903184}*" />
<Execution ProcessID="*1156*" ThreadID="*4516*" />
<Channel>System</Channel>
<Computer>WIN7SRV.kl01.amtb-m.org.my</Computer>
<Security
UserID="*S-1-5-21-3560897929-3766931875-2087304217-2002*" />
</System>
- <EventData>
<Data Name="*SupportInfo1*">1</Data>
<Data Name="*SupportInfo2*">2052</Data>
<Data Name="*ProcessingMode*">0</Data>
<Data Name="*ProcessingTimeInMilliseconds*">3541</Data>
<Data Name="*ErrorCode*">5</Data>
<Data Name="*ErrorDescription*">存取被拒。</Data>
</EventData>
</Event>
On Mon, Jul 25, 2016 at 2:51 AM, Sébastien Le Ray <sebastien-samba at
orniz.org> wrote:
> Hi,
>
> That's look more like a gpupdate output than an event log entry :-)
>
>
>
> Le 24/07/2016 à 20:46, Min Wai Chan a écrit :
>
>> Hello Sébastien Le Ray,
>>
>> The PC reply the following...
>>
>> The processing of Group Policy failed. Windows could not resolve the
user
>> name. This could be caused by one or more of the following:
>> a) Name Resolution failure on the current domain controller.
>> b) Active Directory Replication Latency (an account created on another
>> domain controller has not replicated to the current domain controller).
>>
>> The processing of Group Policy failed. Windows could not resolve the
>> computer name. This could be caused by one of more of the following:
>> a) Name Resolution failure on the current domain controller.
>> b) Active Directory Replication Latency (an account created on another
>> domain controller has not replicated to the current domain controller).
>>
>> To diagnose the failure, review the event log or run GPRESULT /H
>> GPReport.html from
>> the command line to access information about Group Policy results.
>>
>> On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray <
>> sebastien-samba at orniz.org
>>
>>> wrote:
>>> Hi,
>>>
>>> Do you have any specific error message in Windows events log
concerning
>>> GPO?
>>>
>>> Regards
>>>
>>>
>>> Le 24/07/2016 à 05:40, Min Wai Chan a écrit :
>>>
>>> Dear All,
>>>> I've recently upgrade from samba 4.1.x to samba 4.2.14 and
found that
>>>> GPO
>>>> are having issue
>>>>
>>>> Specifically when I'm adding new using they *never *got the
gpupdate
>>>>
>>>> success fully.
>>>>
>>>> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl
sysvolreset
>>>>
>>>> But don't seem to got it fix..
>>>>
>>>> Any suggestion?
>>>>
>>>> Thank in advance.
>>>>
>>>> #samba-tool ntacl sysvolcheck
>>>> Processing section "[netlogon]"
>>>> Processing section "[sysvol]"
>>>> Processing section "[dfs]"
>>>> ERROR(<class
'samba.provision.ProvisioningError'>): uncaught exception -
>>>> ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/
>>>>
kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>
<http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D>
>>>> <
>>>>
http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D
>>>> >
>>>>
>>>>
>>>>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>> does not match expected value
>>>>
>>>>
>>>>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>> from GPO object
>>>> File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
>>>> line
>>>> 175, in _run
>>>> return self.run(*args, **kwargs)
>>>> File
"/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>> line
>>>> 249, in run
>>>> lp)
>>>> File
>>>>
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1730, in checksysvolacl
>>>> direct_db_access)
>>>> File
>>>>
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1681, in check_gpos_acl
>>>> domainsid, direct_db_access)
>>>> File
>>>>
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1628, in check_dir_acl
>>>> raise ProvisioningError('%s ACL on GPO directory %s
%s does not
>>>> match
>>>> expected value %s from GPO object' %
(acl_type(direct_db_access), path,
>>>> fsacl_sddl, acl))
>>>>
>>>> Regards,
>>>> Min Wai
>>>>
>>>>
>>>
>
Hai Min Wai, Please read these links, MS change some things in GPO. MS16-072: Security update for Group Policy: June 14, 2016 https://support.microsoft.com/en-gb/kb/3159398 The following page explains the issues and the corrective measures. https://support.microsoft.com/en-gb/kb/3163622 In sum: Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. See if above helps you. If not, enable GPO operational logging. Open registry editor, navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion - Right click CurrentVersion->New->Key - Rename the newly created key to Diagnostics - Right click on Diagnostics->New->DWORD(32-bit)value, rename the new DWORD entry to GPSvcDebugLevel and set the value as 0x30002 (hexadecimal) - After you modified the registry, please run the command gpupdate /force at command prompt to refresh the policy. Reboot the computer to reproduce the issue. The log file is written to the %SystemRoot%\Debug\UserMode folder. And see if you get more/better info from the debug log. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Min Wai Chan > Verzonden: woensdag 3 augustus 2016 4:45 > Aan: Sébastien Le Ray > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.2.14 GPO issue > > Dear Sébastien, > > Sorry for the delay, > > Please check on the log below. > As for the word "???????????????" it should translate to Access Deny... > > Please help. > > > - <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event > <http://schemas.microsoft.com/win/2004/08/events/event>*"> > - <System> > <Provider Name="*Microsoft-Windows-GroupPolicy*" Guid=" > *{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" /> > <EventID>1055</EventID> > <Version>0</Version> > <Level>2</Level> > <Task>0</Task> > <Opcode>1</Opcode> > <Keywords>0x8000000000000000</Keywords> > <TimeCreated SystemTime="*2016-08-03T02:25:58.236569500Z*" /> > <EventRecordID>237427</EventRecordID> > <Correlation ActivityID="*{20A9F83F-172B-4F62-8B1A-5732474FD71D}*" /> > <Execution ProcessID="*1156*" ThreadID="*1872*" /> > <Channel>System</Channel> > <Computer>WIN7SRV.kl01.amtb-m.org.my</Computer> > <Security UserID="*S-1-5-18*" /> > </System> > - <EventData> > <Data Name="*SupportInfo1*">1</Data> > <Data Name="*SupportInfo2*">2052</Data> > <Data Name="*ProcessingMode*">0</Data> > <Data Name="*ProcessingTimeInMilliseconds*">3495</Data> > <Data Name="*ErrorCode*">5</Data> > <Data Name="*ErrorDescription*">???????????????</Data> > </EventData> > </Event> > > > - <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event > <http://schemas.microsoft.com/win/2004/08/events/event>*"> > - <System> > <Provider Name="*Microsoft-Windows-GroupPolicy*" Guid=" > *{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}*" /> > <EventID>1053</EventID> > <Version>0</Version> > <Level>2</Level> > <Task>0</Task> > <Opcode>1</Opcode> > <Keywords>0x8000000000000000</Keywords> > <TimeCreated SystemTime="*2016-08-03T02:25:58.220969800Z*" /> > <EventRecordID>237426</EventRecordID> > <Correlation ActivityID="*{81CBE41A-C06F-4C33-9A59-DA9418903184}*" /> > <Execution ProcessID="*1156*" ThreadID="*4516*" /> > <Channel>System</Channel> > <Computer>WIN7SRV.kl01.amtb-m.org.my</Computer> > <Security UserID="*S-1-5-21-3560897929-3766931875-2087304217-2002*" /> > </System> > - <EventData> > <Data Name="*SupportInfo1*">1</Data> > <Data Name="*SupportInfo2*">2052</Data> > <Data Name="*ProcessingMode*">0</Data> > <Data Name="*ProcessingTimeInMilliseconds*">3541</Data> > <Data Name="*ErrorCode*">5</Data> > <Data Name="*ErrorDescription*">???????????????</Data> > </EventData> > </Event> > > > > > On Mon, Jul 25, 2016 at 2:51 AM, Sébastien Le Ray <sebastien- > samba at orniz.org > > wrote: > > > Hi, > > > > That's look more like a gpupdate output than an event log entry :-) > > > > > > > > Le 24/07/2016 à 20:46, Min Wai Chan a écrit : > > > >> Hello Sébastien Le Ray, > >> > >> The PC reply the following... > >> > >> The processing of Group Policy failed. Windows could not resolve the > user > >> name. This could be caused by one or more of the following: > >> a) Name Resolution failure on the current domain controller. > >> b) Active Directory Replication Latency (an account created on another > >> domain controller has not replicated to the current domain controller). > >> > >> The processing of Group Policy failed. Windows could not resolve the > >> computer name. This could be caused by one of more of the following: > >> a) Name Resolution failure on the current domain controller. > >> b) Active Directory Replication Latency (an account created on another > >> domain controller has not replicated to the current domain controller). > >> > >> To diagnose the failure, review the event log or run GPRESULT /H > >> GPReport.html from > >> the command line to access information about Group Policy results. > >> > >> On Sun, Jul 24, 2016 at 3:56 PM, Sébastien Le Ray < > >> sebastien-samba at orniz.org > >> > >>> wrote: > >>> Hi, > >>> > >>> Do you have any specific error message in Windows events log > concerning > >>> GPO? > >>> > >>> Regards > >>> > >>> > >>> Le 24/07/2016 à 05:40, Min Wai Chan a écrit : > >>> > >>> Dear All, > >>>> I've recently upgrade from samba 4.1.x to samba 4.2.14 and found that > >>>> GPO > >>>> are having issue > >>>> > >>>> Specifically when I'm adding new using they *never *got the gpupdate > >>>> > >>>> success fully. > >>>> > >>>> When I run samba-tool ntacl sysvolcheck or samba-tool ntacl > sysvolreset > >>>> > >>>> But don't seem to got it fix.. > >>>> > >>>> Any suggestion? > >>>> > >>>> Thank in advance. > >>>> > >>>> #samba-tool ntacl sysvolcheck > >>>> Processing section "[netlogon]" > >>>> Processing section "[sysvol]" > >>>> Processing section "[dfs]" > >>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught > exception - > >>>> ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/ > >>>> kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} > >>>> <http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F- > 00C04FB984F9%7D> > >>>> < > >>>> http://kl01.amtb-m.org.my/Policies/%7B6AC1786C-016F-11D2-945F- > 00C04FB984F9%7D > >>>> > > >>>> > >>>> > >>>> > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001 > f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120 > 0a9;;;AU)(A;OICI;0x001200a9;;;ED) > >>>> does not match expected value > >>>> > >>>> > >>>> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001 > f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120 > 0a9;;;AU)(A;OICI;0x001200a9;;;ED) > >>>> from GPO object > >>>> File "/usr/lib64/python2.7/site- > packages/samba/netcmd/__init__.py", > >>>> line > >>>> 175, in _run > >>>> return self.run(*args, **kwargs) > >>>> File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", > >>>> line > >>>> 249, in run > >>>> lp) > >>>> File > >>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", > >>>> line 1730, in checksysvolacl > >>>> direct_db_access) > >>>> File > >>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", > >>>> line 1681, in check_gpos_acl > >>>> domainsid, direct_db_access) > >>>> File > >>>> "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", > >>>> line 1628, in check_dir_acl > >>>> raise ProvisioningError('%s ACL on GPO directory %s %s does not > >>>> match > >>>> expected value %s from GPO object' % (acl_type(direct_db_access), > path, > >>>> fsacl_sddl, acl)) > >>>> > >>>> Regards, > >>>> Min Wai > >>>> > >>>> > >>> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba