samba - May 2017 - classic upgrade, splitting servers

Hai Stefan, 

A heads up and few adviced changes/tips for you. 

smb.conf: 
realm = my.tld
Change to 
realm = MY.TLD

Try to set a REALM always in CAPS. Some programs rely on that. ( for example,
MIT Kerberos expects realm in CAPS )
So prepair for 4.7 now already to save problems in future. 


These shares. 
> [netlogon]
> path = /var/lib/samba/sysvol/my.tld/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = Yes # just a try ...
Or any "windows only" share, like profiles. 
I have best results if acl_xattr:ignore system acls = Yes  is set.
Only thing is after settting and restarting samba, you must set share and
security settings again.
But now, include user SYSTEM on the shares : sysvol, profiles and optional
users_home


About the sysvol 
If i run: samba-tool gpo aclcheck, i get. 

ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in                                                                    
_run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line
1150, in run
    ds_sd_ndr = m['nTSecurityDescriptor'][0]

Or 
samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/home/samba/sysvol/rotterdam.bazuin.nl/Policies/{ABF652FU-CA18-4693-BD18-6B4FC8A0513A}
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
270, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1723, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))


These are known, just ignore it, not do run the checks again. 

Check if you have on the security tab the following. 
Verified Users , read and exec
System , full control
Serer Operators, read and exec
NTDOM\Administrators, full control

On the share tab, if you have access denied on group policies, add users SYSTEM
to the share rights on sysvol.

On the .. 
>> I can't logon to the PC still with some users - that error with the
user login service, maybe related to some serverbased profile setting somewhere
(?)
Start with, login as NTDOM\Administrator into the domain with a domain joined
pc.
Go to the domain policy and setup 
https://technet.microsoft.com/en-us/library/gg486839.aspx 
And setup "the Always wait for the network at computer startup and
logon" policy setting
Reboot the pc 2 times. Firstime its applied, second time it should be working. 

And before the reboots start with cleanup the windows even logs. 

Start from here, see what happens and post again of you have questions.

Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: dinsdag 23 mei 2017 20:34
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] classic upgrade, splitting servers
> 
> Am 2017-05-23 um 20:28 schrieb Rowland Penny:
> 
> > That one, what version of windows are you using, 8.8, 8.1 or 10 ?
> > If you have a win 7 machine, try it from that.
> 
> I have a win10 machine here for tests. They only run 10 
> anymore ... I would have to dig for a legacy system at their 
> site next week or so.
> 
> >>> In which case, what happened to 'netbios name =' ?
> >>
> >> good question. maybe obsolete as it is the default?
> >>
> > 
> > It may be the default, but I have never seen a DC smb.conf 
> without it.
> 
> 
> here the file:
> 
> 
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = BUERO
> realm = my.tld
> netbios name = DC
> server role = active directory domain controller 
> idmap_ldb:use rfc2307 = yes load printers = No printcap name 
> = /dev/null
> 
> [netlogon]
> path = /var/lib/samba/sysvol/my.tld/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = Yes # just a try ...
> 
> ---
> 
> I can't logon to the PC still with some users - that error 
> with the user login service, maybe related to some 
> serverbased profile setting somewhere (?)
> 
> --- the GPO error:
> 
> 
> root at dc:/var/lib/samba/sysvol/my.tld/Policies# samba-tool  
> ntacl sysvolcheck
>                                                 ERROR(<class
> 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/my.tld/Policies/{31B2F340-016D-11D2-945F
> -00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>                                                   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>                                                       return 
> self.run(*args, **kwargs)
>                                                         File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", 
> line 249, in run
>                                                             lp)
>                                                               
> File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1730, in checksysvolacl
> 
> direct_db_access)
>                                                               
>       File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1681, in check_gpos_acl
> 
> domainsid, direct_db_access)
> 
>  File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1628, in check_dir_acl
> 
>      raise ProvisioningError('%s ACL on GPO directory %s %s 
> does not match expected value %s from GPO object' % 
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> 
> --- thanks so far, I get out of office now for some time .. late here
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Wed, 2017-05-24 at 09:11 +0200, L.P.H. van Belle via samba
wrote:
> Hai Stefan, 
> 
> A heads up and few adviced changes/tips for you. 
> 
> smb.conf: 
> realm = my.tld
> Change to 
> realm = MY.TLD
> 
> Try to set a REALM always in CAPS. Some programs rely on that. ( for
example, MIT Kerberos expects realm in CAPS )
> So prepair for 4.7 now already to save problems in future. 
> 
Samba (which is the only thing that reads smb.conf) always upper cases
the realm internally prior to use.

(Just trying to avoid one more bit of samba folklore).

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hai Andrew, 

Thank you for the extra info on that. 

If thats the case, i do suggest trow in a message in the samba logs that is
preffered to have CAPS for you realm.
Because, if people put them in smb.conf without caps, they wil do it also in
krb5.conf and other config files.

Wile : https://web.mit.edu/kerberos/krb5-devel/doc/admin/realm_config.html
Stats: Although your Kerberos realm can be any ASCII string, convention is to
make it the same as your domain name, in upper-case letters.

Making the more uniform will help in less problems. And finding a
"caps" problem is hard, beleave me i know..  ;-)
Thats why i saying this. 

I know its not a RFC to have REALM in CAPS but it should be imo. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Andrew Bartlett [mailto:abartlet at samba.org] 
> Verzonden: woensdag 24 mei 2017 9:42
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] classic upgrade, splitting servers
> 
> On Wed, 2017-05-24 at 09:11 +0200, L.P.H. van Belle via samba wrote:
> > Hai Stefan,
> > 
> > A heads up and few adviced changes/tips for you. 
> > 
> > smb.conf: 
> > realm = my.tld
> > Change to
> > realm = MY.TLD
> > 
> > Try to set a REALM always in CAPS. Some programs rely on 
> that. ( for 
> > example, MIT Kerberos expects realm in CAPS ) So prepair 
> for 4.7 now already to save problems in future.
> > 
> Samba (which is the only thing that reads smb.conf) always 
> upper cases the realm internally prior to use.
> 
> (Just trying to avoid one more bit of samba folklore).
> 
> Thanks,
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          
> http://catalyst.net.nz/services/samba
> 
>

Am 2017-05-24 um 09:11 schrieb L.P.H. van Belle via
samba:
> Hai Stefan, 
> 
> A heads up and few adviced changes/tips for you. 
> 
> smb.conf: 
> realm = my.tld
> Change to 
> realm = MY.TLD
> 
> Try to set a REALM always in CAPS. Some programs rely on that. ( for
example, MIT Kerberos expects realm in CAPS )
> So prepair for 4.7 now already to save problems in future. 
skipped that after reading Andrew ;-)
> I have best results if acl_xattr:ignore system acls = Yes  is set.
> Only thing is after settting and restarting samba, you must set share and
security settings again.
> But now, include user SYSTEM on the shares : sysvol, profiles and optional
users_home
Set for both sysvol and netlogon shares, I don't have the others (?)
> Check if you have on the security tab the following. 
> Verified Users , read and exec
> System , full control
> Serer Operators, read and exec
> NTDOM\Administrators, full control
checked ok (within windows explorer, right?)
> On the share tab, if you have access denied on group policies, add users
SYSTEM to the share rights on sysvol.
I don't see a share tab in the properties of \\dc\netlogon and \\dc\sysvol

> On the .. 
>>> I can't logon to the PC still with some users - that error with
the user login service, maybe related to some serverbased profile setting
somewhere (?)
> Start with, login as NTDOM\Administrator into the domain with a domain
joined pc.
> Go to the domain policy and setup 
> https://technet.microsoft.com/en-us/library/gg486839.aspx 
> And setup "the Always wait for the network at computer startup and
logon" policy setting
> Reboot the pc 2 times. Firstime its applied, second time it should be
working.
done
> And before the reboots start with cleanup the windows even logs. 
done
> Start from here, see what happens and post again of you have questions.
No big change here ...

I can:

* logon as BUERO\root

* connect to the shares on \\dc

* test other users via smbclient (auth works for them)

But:

* login as BUERO\Administrator just sits there and waits for minutes ...
no error message, no desktop ... I can cancel that via CtrlAltDel

* login as some users fail with that blue error around the profile service

* as root: still the error around reading the GPOs from the DC

--- I also added the LAN-subnet as "local network" to Kaspersky
settings. I wondered if Kaspersky maybe protected me from my DC.

Do I have to remove some of the user-SIDs or so from the registry?

*scratch*

Thinking of the other ~25 machines at their site I am not yet there to
deploy the new DC, I assume.

thanks all for help, Stefan

On Wed, 24 May 2017 11:36:07 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:

> No big change here ...
> 
> I can:
> 
> * logon as BUERO\root
> 
> * connect to the shares on \\dc
> 
> * test other users via smbclient (auth works for them)
> 
> But:
> 
> * login as BUERO\Administrator just sits there and waits for
> minutes ... no error message, no desktop ... I can cancel that via
> CtrlAltDel
> 
where are you actually logging into, the DC or a windows client ?

Rowland

Ok, lets start with : 
> Thinking of the other ~25 machines at their site I am not yet 
> there to deploy the new DC, I assume.
Correct, your not there yet. 
> I don't see a share tab in the properties of \\dc\netlogon 
> and \\dc\sysvol
Login as Adminstrator, 
Open de  "computer manager" ( rigth klik computer, manage ), right
klik, connect to, ..
Now you should see share and security tab. 

Now, you can login as root, yes, but use Administrator. 
Root is not known in AD, this is why it logins faster. 
Adminsitrator is in an OU=Users, which "should not" have any GPO
settings assigned expect domain defaults.

How long did you wait the first time for the login and any windows event
id's from that login?

How did you migrate your users profiles. 
Just a copy past? Because as far i know thats not going to work. 

You need something like : 
https://www.forensit.com/domain-migration.html

Or 
https://www.microsoft.com/en-us/download/details.aspx?id=19188
Or 
USMT http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx

But in all three above, i dont use it. :-/ 
I configure everything in GPO, only 1 thing i have to do manualy, setup the
email signing.
And for that on my new mail server its done also. 
I only do , rename a pc, join a pc domain, set static ip if needed, reboot 2x
and
login as my "second" Admin users to apply every computer policy. 
Yes these first logins can take some time, i see that also, but thats only once
here.
And the first login added my root CA.

So, if your network setup is good, every is applied by GPO. 
Im setting for example 
any windows setting i want. ( per user/group or OU) 
Deploy software where needed.
All my (MS) Office settings, Adobe reader, Printer deployment, certifcate
deployment and security settings.

But my best advice about GPO'.s start with small changes, and group you
changes.
Like "GPO:InternetSettings"  i have 1 gpo for IE/EDGE/CHROME/Firefox.
With defaults.
Or GPO:PrinterDeploy, with only printer settings. 
Etc. think good about this, and ask questions. 
Order is > Computer policy rules, and most settings can be overruled by a
user setting.
For example, my user are not allowed to read/write from USB. 

Thats simple done in GPO, I now have for example. 
1) nobody can read/write from USB	( domain wide policy ) 
2) a computer gpo setting can overwrite this by GPO. ( computer policy per OU or
computer or group member )
3) 2 groups contains, 1 read and 1 write 			( regular groups USB_read and
USB_write with members )
4) select group of users has read right on usb.		( GPO linked to USB_read )
5) select group of users has read/write right on usb.	( GPO linked to USB_read
and USB_write )

And really take small steps how this works, but once setup, your done, 
and then you can enjoy for extra free time on samba problems on the list ;-P 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: woensdag 24 mei 2017 11:36
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classic upgrade, splitting servers
> 
> Am 2017-05-24 um 09:11 schrieb L.P.H. van Belle via samba:
> > Hai Stefan,
> > 
> > A heads up and few adviced changes/tips for you. 
> > 
> > smb.conf: 
> > realm = my.tld
> > Change to
> > realm = MY.TLD
> > 
> > Try to set a REALM always in CAPS. Some programs rely on 
> that. ( for 
> > example, MIT Kerberos expects realm in CAPS ) So prepair 
> for 4.7 now already to save problems in future.
> 
> skipped that after reading Andrew ;-)
> 
> > I have best results if acl_xattr:ignore system acls = Yes  is set.
> > Only thing is after settting and restarting samba, you must 
> set share and security settings again. 
> > But now, include user SYSTEM on the shares : sysvol, profiles and 
> > optional users_home
> 
> Set for both sysvol and netlogon shares, I don't have the others (?)
> 
> > Check if you have on the security tab the following. 
> > Verified Users , read and exec
> > System , full control
> > Serer Operators, read and exec
> > NTDOM\Administrators, full control
> 
> checked ok (within windows explorer, right?)
> 
> > On the share tab, if you have access denied on group 
> policies, add users SYSTEM to the share rights on sysvol. 
> 
> I don't see a share tab in the properties of \\dc\netlogon 
> and \\dc\sysvol
> 
> 
> > On the .. 
> >>> I can't logon to the PC still with some users - that 
> error with the 
> >>> user login service, maybe related to some serverbased profile 
> >>> setting somewhere (?)
> > Start with, login as NTDOM\Administrator into the domain 
> with a domain joined pc. 
> > Go to the domain policy and setup
> > https://technet.microsoft.com/en-us/library/gg486839.aspx
> > And setup "the Always wait for the network at computer startup
and
> > logon" policy setting Reboot the pc 2 times. Firstime its 
> applied, second time it should be working.
> 
> done
> 
> > And before the reboots start with cleanup the windows even logs. 
> 
> done
> 
> > Start from here, see what happens and post again of you 
> have questions.
> 
> No big change here ...
> 
> I can:
> 
> * logon as BUERO\root
> 
> * connect to the shares on \\dc
> 
> * test other users via smbclient (auth works for them)
> 
> But:
> 
> * login as BUERO\Administrator just sits there and waits for 
> minutes ...
> no error message, no desktop ... I can cancel that via CtrlAltDel
> 
> * login as some users fail with that blue error around the 
> profile service
> 
> * as root: still the error around reading the GPOs from the DC
> 
> --- I also added the LAN-subnet as "local network" to 
> Kaspersky settings. I wondered if Kaspersky maybe protected 
> me from my DC.
> 
> Do I have to remove some of the user-SIDs or so from the registry?
> 
> *scratch*
> 
> Thinking of the other ~25 machines at their site I am not yet 
> there to deploy the new DC, I assume.
> 
> thanks all for help, Stefan
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Am 2017-05-24 um 12:23 schrieb L.P.H. van Belle via
samba:
> Ok, lets start with : 
>> Thinking of the other ~25 machines at their site I am not yet 
>> there to deploy the new DC, I assume.
> Correct, your not there yet. 
> 
>> I don't see a share tab in the properties of \\dc\netlogon 
>> and \\dc\sysvol
> 
> Login as Adminstrator, 
> Open de  "computer manager" ( rigth klik computer, manage ),
right klik, connect to, ..
> Now you should see share and security tab. 
I can't find it ... sorry. The german/english makes it harder ...

> Now, you can login as root, yes, but use Administrator. 
> Root is not known in AD, this is why it logins faster. 
> Adminsitrator is in an OU=Users, which "should not" have any GPO
settings assigned expect domain defaults.
> 
> How long did you wait the first time for the login and any windows event
id's from that login?
5-10 min ... just wait

event logs : I have to dig
> How did you migrate your users profiles. 
> Just a copy past? Because as far i know thats not going to work. 
NO migration.
Local profiles only, no server based ones.

that's the whole point in doing this, I don't want to touch the
individual PCs at all. This worked at another site as well.

> You need something like : 
> https://www.forensit.com/domain-migration.html
> 
> Or 
> https://www.microsoft.com/en-us/download/details.aspx?id=19188
> Or 
> USMT http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx
> 
> But in all three above, i dont use it. :-/ 
> I configure everything in GPO, only 1 thing i have to do manualy, setup the
email signing.
> And for that on my new mail server its done also. 
> I only do , rename a pc, join a pc domain, set static ip if needed, reboot
2x and
> login as my "second" Admin users to apply every computer policy. 
> Yes these first logins can take some time, i see that also, but thats only
once here.
> And the first login added my root CA.
> 
> So, if your network setup is good, every is applied by GPO. 
> Im setting for example 
> any windows setting i want. ( per user/group or OU) 
> Deploy software where needed.
> All my (MS) Office settings, Adobe reader, Printer deployment, certifcate
deployment and security settings.
> 
> But my best advice about GPO'.s start with small changes, and group you
changes.
> Like "GPO:InternetSettings"  i have 1 gpo for
IE/EDGE/CHROME/Firefox. With defaults.
> Or GPO:PrinterDeploy, with only printer settings. 
> Etc. think good about this, and ask questions. 
> Order is > Computer policy rules, and most settings can be overruled by
a user setting.
> For example, my user are not allowed to read/write from USB. 
> 
> Thats simple done in GPO, I now have for example. 
> 1) nobody can read/write from USB	( domain wide policy ) 
> 2) a computer gpo setting can overwrite this by GPO. ( computer policy per
OU or computer or group member )
> 3) 2 groups contains, 1 read and 1 write 			( regular groups USB_read and
USB_write with members )
> 4) select group of users has read right on usb.		( GPO linked to USB_read )
> 5) select group of users has read/write right on usb.	( GPO linked to
USB_read and USB_write )
> 
> And really take small steps how this works, but once setup, your done, 
> and then you can enjoy for extra free time on samba problems on the list
;-P
I use GPOs at another site, so I know about the need to take small
steps, right!

-

Did inbetween:

* rerun classic update: new policies, everything fresh, lower functional
level now

* uninstalled Kaspersky on the test PC

* unjoined, rm-ed machine account on DC, re-joined ...

I get lost somehow ...

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: woensdag 24 mei 2017 12:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classic upgrade, splitting servers
> 
> Am 2017-05-24 um 12:23 schrieb L.P.H. van Belle via samba:
> > Ok, lets start with : 
> >> Thinking of the other ~25 machines at their site I am not 
> yet there 
> >> to deploy the new DC, I assume.
> > Correct, your not there yet. 
> > 
> >> I don't see a share tab in the properties of \\dc\netlogon and
> >> \\dc\sysvol
> > 
> > Login as Adminstrator,
> > Open de  "computer manager" ( rigth klik computer, manage 
> ), right klik, connect to, .. 
> > Now you should see share and security tab. 
> 
> I can't find it ... sorry. The german/english makes it harder ...
I mean this 
https://www.isunshare.com/windows-8/run-computer-management-by-command-line.html
(first picture) 
Rechtsklicken Sie auf Computerverwaltung . 
Dann eine Verbindung mit FSMO Rollen an den DC machen. 
klicken Sie auf das Pluszeichen, System-Tools, gibt es geteilte Ordner.

You can write in german to me, if thats more easy for you, 
i can read it, i only lost my write skill. 

> 
> 
> > Now, you can login as root, yes, but use Administrator. 
> > Root is not known in AD, this is why it logins faster. 
> > Adminsitrator is in an OU=Users, which "should not" have 
> any GPO settings assigned expect domain defaults.
> > 
> > How long did you wait the first time for the login and any 
> windows event id's from that login? 
> 
> 5-10 min ... just wait
> 
> event logs : I have to dig
> 
> > How did you migrate your users profiles. 
> > Just a copy past? Because as far i know thats not going to work. 
> 
> NO migration.
> Local profiles only, no server based ones.
> 
> that's the whole point in doing this, I don't want to touch 
> the individual PCs at all. This worked at another site as well.
Ok thats good, then you missed someing in the setup. 
> 
> 
> > You need something like : 
> > https://www.forensit.com/domain-migration.html
> > 
> > Or
> > https://www.microsoft.com/en-us/download/details.aspx?id=19188
> > Or
> > USMT http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx
> > 
> > But in all three above, i dont use it. :-/ I configure 
> everything in 
> > GPO, only 1 thing i have to do manualy, setup the email signing.
> > And for that on my new mail server its done also. 
> > I only do , rename a pc, join a pc domain, set static ip if needed, 
> > reboot 2x and login as my "second" Admin users to apply 
> every computer policy.
> > Yes these first logins can take some time, i see that also, 
> but thats only once here.
> > And the first login added my root CA.
> > 
> > So, if your network setup is good, every is applied by GPO. 
> > Im setting for example
> > any windows setting i want. ( per user/group or OU) Deploy software 
> > where needed.
> > All my (MS) Office settings, Adobe reader, Printer 
> deployment, certifcate deployment and security settings. 
> > 
> > But my best advice about GPO'.s start with small changes, 
> and group you changes.
> > Like "GPO:InternetSettings"  i have 1 gpo for 
> IE/EDGE/CHROME/Firefox. With defaults. 
> > Or GPO:PrinterDeploy, with only printer settings. 
> > Etc. think good about this, and ask questions. 
> > Order is > Computer policy rules, and most settings can be 
> overruled by a user setting. 
> > For example, my user are not allowed to read/write from USB. 
> > 
> > Thats simple done in GPO, I now have for example. 
> > 1) nobody can read/write from USB	( domain wide policy ) 
> > 2) a computer gpo setting can overwrite this by GPO. ( 
> computer policy per OU or computer or group member ) 
> > 3) 2 groups contains, 1 read and 1 write 			
> ( regular groups USB_read and USB_write with members ) 
> > 4) select group of users has read right on usb.		
> ( GPO linked to USB_read )
> > 5) select group of users has read/write right on usb.	
> ( GPO linked to USB_read and USB_write ) 
> > 
> > And really take small steps how this works, but once setup, 
> your done, 
> > and then you can enjoy for extra free time on samba problems on the 
> > list ;-P
> 
> I use GPOs at another site, so I know about the need to take 
> small steps, right!
> 
> -
> 
> Did inbetween:
> 
> * rerun classic update: new policies, everything fresh, lower 
> functional level now
You should stay at 2008R2 in my opinion. 
> 
> * uninstalled Kaspersky on the test PC
> 
> * unjoined, rm-ed machine account on DC, re-joined ...
> 
> I get lost somehow ...
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>