I'm having problems with GPO in Samba 4.2.1
I created a GPO to Block Control Panel and applied in my Domain OU.
In desktop client I typed "gpupdate /force" and appear a success
message
that to ask reboot my system. After rebuot the GPO don't work.
Other GPOs as WSUS update, Wallpaper and others, don't work too.
Following is the result of command: GPRESULT /H GPResult.html
GPOs Applied
Name Location Link Revision
Default Domain Policy empresa.com.br AD (1), Sysvol (65535)
GPOs Denied
Name Location Link Denial Reason
Local Group Policies Location EMPTY
{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br
Inacessible
{D65C5B66-A380-48AD-AC8A-DE417173E293} empresa.comb.br/EMPRESA/SecInfor
Inacessible
Wallpaper empresa.comb.br/EMPRESA/SecInfor Inacessible
How can I debug this problem ?
Regards,
Márcio
On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote:> I'm having problems with GPO in Samba 4.2.1 > > I created a GPO to Block Control Panel and applied in my Domain OU. > > In desktop client I typed "gpupdate /force" and appear a success message > that to ask reboot my system. After rebuot the GPO don't work. > > Other GPOs as WSUS update, Wallpaper and others, don't work too. > > > Following is the result of command: GPRESULT /H GPResult.html > > GPOs Applied > Name Location Link Revision > Default Domain Policy empresa.com.br AD (1), Sysvol (65535) > > GPOs Denied > Name Location Link Denial Reason > Local Group Policies Location EMPTY > {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br > Inacessible > {D65C5B66-A380-48AD-AC8A-DE417173E293} empresa.comb.br/EMPRESA/SecInfor > Inacessible > Wallpaper empresa.comb.br/EMPRESA/SecInfor Inacessible > > How can I debug this problem ? > > Regards, > > MárcioThe denial reason Inaccessible usually refers to a permissions problem. Verify your user and or computer the GPO applies to has the correct permissions. Can you run 'getfacl /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the results? -- - James
On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote:> Thanks Lingpanda101 > > Following the result of command: > > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} > # owner: 10060 > # group: 30028 > user::rwx > user:10060:rwx > user:3000002:rwx > user:3000010:r-x > group::rwx > group:30028:rwx > group:30032:r-x > group:30033:rwx > group:3000002:rwx > group:3000010:r-x > mask::rwx > other::--- > default:user::rwx > default:user:10060:rwx > default:user:3000002:rwx > default:user:3000010:r-x > default:group::--- > default:group:30028:rwx > default:group:30032:r-x > default:group:30033:rwx > default:group:3000002:rwx > default:group:3000010:r-x > default:mask::rwx > default:other::--- > > > > Regards, > > Márcio > > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>>: > > On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote: > > I'm having problems with GPO in Samba 4.2.1 > > I created a GPO to Block Control Panel and applied in my > Domain OU. > > In desktop client I typed "gpupdate /force" and appear a > success message > that to ask reboot my system. After rebuot the GPO don't work. > > Other GPOs as WSUS update, Wallpaper and others, don't work too. > > > Following is the result of command: GPRESULT /H GPResult.html > > GPOs Applied > Name Location Link Revision > Default Domain Policy empresa.com.br <http://empresa.com.br> > AD (1), Sysvol (65535) > > GPOs Denied > Name Location Link Denial Reason > Local Group Policies Location EMPTY > {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br > <http://empresa.com.br> > Inacessible > {D65C5B66-A380-48AD-AC8A-DE417173E293} > empresa.comb.br/EMPRESA/SecInfor > <http://empresa.comb.br/EMPRESA/SecInfor> > Inacessible > Wallpaper empresa.comb.br/EMPRESA/SecInfor > <http://empresa.comb.br/EMPRESA/SecInfor> Inacessible > > How can I debug this problem ? > > Regards, > > Márcio > > > The denial reason Inaccessible usually refers to a permissions > problem. Verify your user and or computer the GPO applies to has > the correct permissions. Can you run 'getfacl > /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the > results? > > -- > - James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > <https://lists.samba.org/mailman/options/samba> > >I see you have given some users and groups a UID. Can you tell me the results of wbinfo --uid-info=10060 wbinfo --uid-info=30028 wbinfo --uid-info=30032 wbinfo --uid-info=10060 wbinfo --uid-info=30033 I don't see user:3000003 which I believe is Authenticated Users. Did you give this group a UID? -- - James
On Thu, 3 Nov 2016 10:25:00 -0400 lingpanda101 via samba <samba at lists.samba.org> wrote:> On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote: > > Thanks Lingpanda101 > > > > Following the result of command: > > > > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} > > # owner: 10060 > > # group: 30028 > > user::rwx > > user:10060:rwx > > user:3000002:rwx > > user:3000010:r-x > > group::rwx > > group:30028:rwx > > group:30032:r-x > > group:30033:rwx > > group:3000002:rwx > > group:3000010:r-x > > mask::rwx > > other::--- > > default:user::rwx > > default:user:10060:rwx > > default:user:3000002:rwx > > default:user:3000010:r-x > > default:group::--- > > default:group:30028:rwx > > default:group:30032:r-x > > default:group:30033:rwx > > default:group:3000002:rwx > > default:group:3000010:r-x > > default:mask::rwx > > default:other::--- > > > > > > > > Regards, > > > > Márcio > > > > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>>: > > > > On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote: > > > > I'm having problems with GPO in Samba 4.2.1 > > > > I created a GPO to Block Control Panel and applied in my > > Domain OU. > > > > In desktop client I typed "gpupdate /force" and appear a > > success message > > that to ask reboot my system. After rebuot the GPO don't > > work. > > > > Other GPOs as WSUS update, Wallpaper and others, don't work > > too. > > > > > > Following is the result of command: GPRESULT /H > > GPResult.html > > > > GPOs Applied > > Name Location Link Revision > > Default Domain Policy empresa.com.br > > <http://empresa.com.br> AD (1), Sysvol (65535) > > > > GPOs Denied > > Name Location Link Denial Reason > > Local Group Policies Location EMPTY > > {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br > > <http://empresa.com.br> > > Inacessible > > {D65C5B66-A380-48AD-AC8A-DE417173E293} > > empresa.comb.br/EMPRESA/SecInfor > > <http://empresa.comb.br/EMPRESA/SecInfor> > > Inacessible > > Wallpaper empresa.comb.br/EMPRESA/SecInfor > > <http://empresa.comb.br/EMPRESA/SecInfor> Inacessible > > > > How can I debug this problem ? > > > > Regards, > > > > Márcio > > > > > > The denial reason Inaccessible usually refers to a permissions > > problem. Verify your user and or computer the GPO applies to has > > the correct permissions. Can you run 'getfacl > > /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the > > results? > > > > -- > > - James > > > > > > -- > > To unsubscribe from this list go to the following URL and read > > the instructions: https://lists.samba.org/mailman/options/samba > > <https://lists.samba.org/mailman/options/samba> > > > > > I see you have given some users and groups a UID. Can you tell me the > results of > > wbinfo --uid-info=10060 > wbinfo --uid-info=30028 > wbinfo --uid-info=30032 > wbinfo --uid-info=10060 > wbinfo --uid-info=30033 > > I don't see user:3000003 which I believe is Authenticated Users. Did > you give this group a UID? > > >If giving users a uidNumber isn't modifying things, I don't know what is. Rowland
On Thu, 3 Nov 2016 10:25:00 -0400 lingpanda101 via samba <samba at lists.samba.org> wrote:> On 11/3/2016 9:59 AM, Marcio Demetrio Bacci wrote: > > Thanks Lingpanda101 > > > > Following the result of command: > > > > # file: Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} > > # owner: 10060 > > # group: 30028 > > user::rwx > > user:10060:rwx > > user:3000002:rwx > > user:3000010:r-x > > group::rwx > > group:30028:rwx > > group:30032:r-x > > group:30033:rwx > > group:3000002:rwx > > group:3000010:r-x > > mask::rwx > > other::--- > > default:user::rwx > > default:user:10060:rwx > > default:user:3000002:rwx > > default:user:3000010:r-x > > default:group::--- > > default:group:30028:rwx > > default:group:30032:r-x > > default:group:30033:rwx > > default:group:3000002:rwx > > default:group:3000010:r-x > > default:mask::rwx > > default:other::--- > > > > > > > > Regards, > > > > Márcio > > > > 2016-11-03 11:46 GMT-02:00 lingpanda101 via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>>: > > > > On 11/2/2016 5:51 PM, Marcio Demetrio Bacci via samba wrote: > > > > I'm having problems with GPO in Samba 4.2.1 > > > > I created a GPO to Block Control Panel and applied in my > > Domain OU. > > > > In desktop client I typed "gpupdate /force" and appear a > > success message > > that to ask reboot my system. After rebuot the GPO don't > > work. > > > > Other GPOs as WSUS update, Wallpaper and others, don't work > > too. > > > > > > Following is the result of command: GPRESULT /H > > GPResult.html > > > > GPOs Applied > > Name Location Link Revision > > Default Domain Policy empresa.com.br > > <http://empresa.com.br> AD (1), Sysvol (65535) > > > > GPOs Denied > > Name Location Link Denial Reason > > Local Group Policies Location EMPTY > > {0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625} empresa.com.br > > <http://empresa.com.br> > > Inacessible > > {D65C5B66-A380-48AD-AC8A-DE417173E293} > > empresa.comb.br/EMPRESA/SecInfor > > <http://empresa.comb.br/EMPRESA/SecInfor> > > Inacessible > > Wallpaper empresa.comb.br/EMPRESA/SecInfor > > <http://empresa.comb.br/EMPRESA/SecInfor> Inacessible > > > > How can I debug this problem ? > > > > Regards, > > > > Márcio > > > > > > The denial reason Inaccessible usually refers to a permissions > > problem. Verify your user and or computer the GPO applies to has > > the correct permissions. Can you run 'getfacl > > /Policies/{0F1E5B10-3640-4FFE-AA6B-5DE4CFF73625}' and post the > > results? > > > > -- > > - James > > > > > > -- > > To unsubscribe from this list go to the following URL and read > > the instructions: https://lists.samba.org/mailman/options/samba > > <https://lists.samba.org/mailman/options/samba> > > > > > I see you have given some users and groups a UID. Can you tell me the > results of > > wbinfo --uid-info=10060 > wbinfo --uid-info=30028 > wbinfo --uid-info=30032 > wbinfo --uid-info=10060 > wbinfo --uid-info=30033 > > I don't see user:3000003 which I believe is Authenticated Users. Did > you give this group a UID? > > >Seeing as this is not one of the two std GPOs, you have a problem. When you create a GPO, the owners are Domain Admins and the group is Domain Admins, so who is '10060' and what is '30028' ? Rowland
A Microsoft security update for Group Policy changed the behavior of clients in
regards to GPOs:
MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398
The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622
In sum:
Add the Authenticated Users group with Read Permissions to the Group Policy
Object (GPO).
Also add the Domain Computers group with read permission.
Did you take this into account?
This did bit me some months ago. All of a sudden, the GPOs were not being
applied. When I made the above changes, they immediately started working again.