> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: woensdag 24 mei 2017 12:38 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] classic upgrade, splitting servers > > Am 2017-05-24 um 12:23 schrieb L.P.H. van Belle via samba: > > Ok, lets start with : > >> Thinking of the other ~25 machines at their site I am not > yet there > >> to deploy the new DC, I assume. > > Correct, your not there yet. > > > >> I don't see a share tab in the properties of \\dc\netlogon and > >> \\dc\sysvol > > > > Login as Adminstrator, > > Open de "computer manager" ( rigth klik computer, manage > ), right klik, connect to, .. > > Now you should see share and security tab. > > I can't find it ... sorry. The german/english makes it harder ...I mean this https://www.isunshare.com/windows-8/run-computer-management-by-command-line.html (first picture) Rechtsklicken Sie auf Computerverwaltung . Dann eine Verbindung mit FSMO Rollen an den DC machen. klicken Sie auf das Pluszeichen, System-Tools, gibt es geteilte Ordner. You can write in german to me, if thats more easy for you, i can read it, i only lost my write skill.> > > > Now, you can login as root, yes, but use Administrator. > > Root is not known in AD, this is why it logins faster. > > Adminsitrator is in an OU=Users, which "should not" have > any GPO settings assigned expect domain defaults. > > > > How long did you wait the first time for the login and any > windows event id's from that login? > > 5-10 min ... just wait > > event logs : I have to dig > > > How did you migrate your users profiles. > > Just a copy past? Because as far i know thats not going to work. > > NO migration. > Local profiles only, no server based ones. > > that's the whole point in doing this, I don't want to touch > the individual PCs at all. This worked at another site as well.Ok thats good, then you missed someing in the setup.> > > > You need something like : > > https://www.forensit.com/domain-migration.html > > > > Or > > https://www.microsoft.com/en-us/download/details.aspx?id=19188 > > Or > > USMT http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx > > > > But in all three above, i dont use it. :-/ I configure > everything in > > GPO, only 1 thing i have to do manualy, setup the email signing. > > And for that on my new mail server its done also. > > I only do , rename a pc, join a pc domain, set static ip if needed, > > reboot 2x and login as my "second" Admin users to apply > every computer policy. > > Yes these first logins can take some time, i see that also, > but thats only once here. > > And the first login added my root CA. > > > > So, if your network setup is good, every is applied by GPO. > > Im setting for example > > any windows setting i want. ( per user/group or OU) Deploy software > > where needed. > > All my (MS) Office settings, Adobe reader, Printer > deployment, certifcate deployment and security settings. > > > > But my best advice about GPO'.s start with small changes, > and group you changes. > > Like "GPO:InternetSettings" i have 1 gpo for > IE/EDGE/CHROME/Firefox. With defaults. > > Or GPO:PrinterDeploy, with only printer settings. > > Etc. think good about this, and ask questions. > > Order is > Computer policy rules, and most settings can be > overruled by a user setting. > > For example, my user are not allowed to read/write from USB. > > > > Thats simple done in GPO, I now have for example. > > 1) nobody can read/write from USB ( domain wide policy ) > > 2) a computer gpo setting can overwrite this by GPO. ( > computer policy per OU or computer or group member ) > > 3) 2 groups contains, 1 read and 1 write > ( regular groups USB_read and USB_write with members ) > > 4) select group of users has read right on usb. > ( GPO linked to USB_read ) > > 5) select group of users has read/write right on usb. > ( GPO linked to USB_read and USB_write ) > > > > And really take small steps how this works, but once setup, > your done, > > and then you can enjoy for extra free time on samba problems on the > > list ;-P > > I use GPOs at another site, so I know about the need to take > small steps, right! > > - > > Did inbetween: > > * rerun classic update: new policies, everything fresh, lower > functional level nowYou should stay at 2008R2 in my opinion.> > * uninstalled Kaspersky on the test PC > > * unjoined, rm-ed machine account on DC, re-joined ... > > I get lost somehow ... > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Am 2017-05-24 um 13:09 schrieb L.P.H. van Belle via samba:> I mean this > https://www.isunshare.com/windows-8/run-computer-management-by-command-line.html > (first picture) > Rechtsklicken Sie auf Computerverwaltung . > Dann eine Verbindung mit FSMO Rollen an den DC machen. > klicken Sie auf das Pluszeichen, System-Tools, gibt es geteilte Ordner.I think I got it, but it gives an RPC Error (1728) and after that it shows me that I (connected there as BUERO\Administrator) have no permissions to look at the shared folders. I am logged into the PC as local user as the login as BUERO\Administrator just does not work out ....> You can write in german to me, if thats more easy for you, > i can read it, i only lost my write skill.Maybe if it gets really bad ;-) thanks>> that's the whole point in doing this, I don't want to touch >> the individual PCs at all. This worked at another site as well. > Ok thats good, then you missed someing in the setup.Yes.>> * rerun classic update: new policies, everything fresh, lower >> functional level now > You should stay at 2008R2 in my opinion.So I have to redo the raise now in my fresh ADS.
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: woensdag 24 mei 2017 13:24 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] classic upgrade, splitting servers > > Am 2017-05-24 um 13:09 schrieb L.P.H. van Belle via samba: > > > I mean this > > > https://www.isunshare.com/windows-8/run-computer-management-by-command > > -line.html > > (first picture) > > Rechtsklicken Sie auf Computerverwaltung . > > Dann eine Verbindung mit FSMO Rollen an den DC machen. > > klicken Sie auf das Pluszeichen, System-Tools, gibt es > geteilte Ordner. > > I think I got it, but it gives an RPC Error (1728) and after > that it shows me that I (connected there as > BUERO\Administrator) have no permissions to look at the > shared folders.You forgot to set the SePrivileges to or "domain admins" or buildin\Administrator.> > I am logged into the PC as local user as the login as > BUERO\Administrator just does not work out .... > > > You can write in german to me, if thats more easy for you, > i can read > > it, i only lost my write skill. > > Maybe if it gets really bad ;-) thanks > > >> that's the whole point in doing this, I don't want to touch the > >> individual PCs at all. This worked at another site as well. > > Ok thats good, then you missed someing in the setup. > > Yes. > > >> * rerun classic update: new policies, everything fresh, lower > >> functional level now > > You should stay at 2008R2 in my opinion. > > So I have to redo the raise now in my fresh ADS.Yes.
On Wed, 24 May 2017 13:23:42 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> I think I got it, but it gives an RPC Error (1728) and after that it > shows me that I (connected there as BUERO\Administrator) have no > permissions to look at the shared folders. > > I am logged into the PC as local user as the login as > BUERO\Administrator just does not work out .... >Does 'Administrator' have a uidNumber attribute ? Rowland
Am 2017-05-24 um 13:26 schrieb L.P.H. van Belle via samba:>> I think I got it, but it gives an RPC Error (1728) and after >> that it shows me that I (connected there as >> BUERO\Administrator) have no permissions to look at the >> shared folders. > You forgot to set the SePrivileges to or "domain admins" or buildin\Administrator.how could I? I don't even know they exist ;-) pls remind me where to do that, thanks.
These are my recommended settings on SePrivileges.
The should all be on "domain Admins" and not any users.
This fixed the access denied if you connect through computer manager.
Change the 2 variables below to match your setup.
YOUR_NTPASSWD="YOUR_Administrator_PASSWD"
SETNTDOM="NTDOM"
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeDiskOperatorPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeTakeOwnershipPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeBackupPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeRestorePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeRemoteShutdownPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SePrintOperatorPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeAddUsersPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeDiskOperatorPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeSecurityPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeSystemtimePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeShutdownPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeDebugPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeSystemEnvironmentPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeSystemProfilePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeProfileSingleProcessPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeIncreaseBasePriorityPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeLoadDriverPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeCreatePagefilePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeIncreaseQuotaPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeChangeNotifyPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeUndockPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeManageVolumePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeImpersonatePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeCreateGlobalPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
SeEnableDelegationPrivilege ?Uadministrator
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan G. Weichinger via samba
> Verzonden: woensdag 24 mei 2017 13:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classic upgrade, splitting servers
>
> Am 2017-05-24 um 13:26 schrieb L.P.H. van Belle via samba:
>
> >> I think I got it, but it gives an RPC Error (1728) and
> after that it
> >> shows me that I (connected there as
> >> BUERO\Administrator) have no permissions to look at the shared
> >> folders.
> > You forgot to set the SePrivileges to or "domain admins" or
> buildin\Administrator.
>
> how could I? I don't even know they exist ;-)
> pls remind me where to do that, thanks.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Hi,
we did an update from samba 4.5.5 to 4.6.3. We are having a Linux-Home
share for the windows users, but this is not working anymore.
In the smb.conf we are having something like the following
...
[%U_Home]
comment = Home Directories
path = %H
...
It seems, that the "%H" is not replace correctly or at least as
before.
--
Regards
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"
----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering
D-01062 Dresden
Germany
phone : +49 (351) 463 38496
fax : +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------