On Tue, 6 Nov 2018 16:14:11 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> > > read the file \eccm > > g.cupet.cusysvoldomainPolicies{31B2F340-016D-11D2-945F-00C04FB984F9} > > gpt.ini from a domain controller and was not successful. > > > That is just an incorrect configured sysvol share. > The computer computer$ impersonates itself through user SYSTEM. > And that one does not have rights to gpt.ini. > > Same for you... > I suggest, start reading here, it explains all. > https://lists.samba.org/archive/samba/2018-February/213690.html > > My output on with 4.8.6. > > C:\>gpupdate > Updating policy... > > Computer Policy update has completed successfully. > User Policy update has completed successfully. > > > And this works as of samba 4.4.x and up for me. > And yes, this is a bit a work around some nasty bugs but its working > fine here. > > I install software/certifcates, create local users, change/add > localgroups to computers, deploy printers, etc. All done with GPO, > and yes, it was hell to get it working. > > > Greetz, >Yes, but do you delete the default Policies that are hardcoded into AD ? Rowland
Greetings, Rowland Penny!> Yes, but do you delete the default Policies that are hardcoded into AD ?There's no "policies", there's one policy that is completely empty. Which you can safely unlink or delete. Just make sure you are doing it though the GPO management UI, so no stray links are left over. Said that, your earlier assessment that the share permissions is an issue may still hold true. -- With best regards, Andrey Repin Saturday, November 10, 2018 3:40:59 Sorry for my terrible english...
On Sat, 10 Nov 2018 04:07:43 +0300 Andrey Repin <anrdaemon at yandex.ru> wrote:> Greetings, Rowland Penny! > > > Yes, but do you delete the default Policies that are hardcoded into > > AD ? > > There's no "policies", there's one policy that is completely empty. > Which you can safely unlink or delete.No, there are two default policies, the default domain policy and the default DC policy and yes, whilst they are both empty, the GUID's are hardcoded into AD. They are expected to be there and will cause errors if not found. You should not modify these policies, you should create new ones, this isn't a Samba thing, it is a Microsoft best practice. Rowland