L.P.H. van Belle
2019-Jul-26 10:09 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
One more i found is : http://www.edugeek.net/forums/windows-7/145171-event-id-1053-group-policy.html But i dont expect that to be your problem, just do checkit. And review these steps https://www.dell.com/support/article/nl/nl/nldhs1/sln163816/troubleshooting-group-policy-processing-errors-in-an-active-directory-domain?lang=en I can type it all, but then you get more typo's ;-) Above links are the things i would check first. And do update you ADMX files with latest for win10 1903. Now im out for lunch ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: vrijdag 26 juli 2019 11:48 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO issues - getting SYSVOL cleaned up again > > Am 26.07.19 um 11:32 schrieb L.P.H. van Belle via samba: > > Hai Stefan, > > > > Look at this one. > > > https://pupuweb.com/solved-info-the-user-rsop-data-error-show- > gpresult-r-command/ > > > > This one might help here more. > > I don't get that message on every machine. > > Saw that link as well. Might try on site in a week. RDP ~ not so funny > > > Also check the output of : gpresult /R > > > And always post the event logs of windows complete. (even > if its in german) > > Because there is more info in there for us then only the event id. > > On the W2008R2 server, logged in as DOMAIN\Administrator: > > > > Protokollname: System > Quelle: Microsoft-Windows-GroupPolicy > Datum: 26.07.2019 11:41:37 > Ereignis-ID: 1053 > Aufgabenkategorie:Keine > Ebene: Fehler > Schl?sselw?rter: > Benutzer: BUERO\Administrator > Computer: PRE01SVBMD01.mydomain.at > Beschreibung: > Fehler bei der Verarbeitung der Gruppenrichtlinie. Der Benutzername > konnte nicht aufgel?st werden. Dies kann mindestens eine der folgenden > Ursachen haben: > a) Fehler bei der Namensaufl?sung mit dem aktuellen Dom?nencontroller. > b) Active Directory-Replikationswartezeit (ein auf einem anderen > Dom?nencontroller erstelltes Konto hat nicht auf dem aktuellen > Dom?nencontroller repliziert). > Ereignis-XML: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > <System> > <Provider Name="Microsoft-Windows-GroupPolicy" > Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" /> > <EventID>1053</EventID> > <Version>0</Version> > <Level>2</Level> > <Task>0</Task> > <Opcode>1</Opcode> > <Keywords>0x8000000000000000</Keywords> > <TimeCreated SystemTime="2019-07-26T09:41:37.514125500Z" /> > <EventRecordID>917281</EventRecordID> > <Correlation > ActivityID="{B2C69B1B-AC55-4B46-B739-C06CAF6FA24E}" /> > <Execution ProcessID="1008" ThreadID="7124" /> > <Channel>System</Channel> > <Computer>PRE01SVBMD01.mydomain.at</Computer> > <Security > UserID="S-1-5-21-2940660672-4062535256-4144655499-500" /> > </System> > <EventData> > <Data Name="SupportInfo1">1</Data> > <Data Name="SupportInfo2">2052</Data> > <Data Name="ProcessingMode">0</Data> > <Data Name="ProcessingTimeInMilliseconds">1670</Data> > <Data Name="ErrorCode">5</Data> > <Data Name="ErrorDescription">Zugriff verweigert </Data> > </EventData> > </Event> > > > > --- > > > > also this: > > > Protokollname: System > Quelle: LsaSrv > Datum: 26.07.2019 11:40:58 > Ereignis-ID: 40961 > Aufgabenkategorie:Keine > Ebene: Warnung > Schl?sselw?rter: > Benutzer: SYSTEM > Computer: PRE01SVBMD01.mydomain.at > Beschreibung: > Das Sicherheitssystem konnte keine sichere Verbindung mit dem Server > ldap/pre01svdeb02.mydomain.at/mydomain.at at mydomain.AT > herstellen. Es war > kein Authentifizierungsprotokoll verf?gbar. > Ereignis-XML: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > <System> > <Provider Name="LsaSrv" > Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > <EventID>40961</EventID> > <Version>0</Version> > <Level>3</Level> > <Task>0</Task> > <Opcode>0</Opcode> > <Keywords>0x8000000000000000</Keywords> > <TimeCreated SystemTime="2019-07-26T09:40:58.256200100Z" /> > <EventRecordID>917279</EventRecordID> > <Correlation /> > <Execution ProcessID="692" ThreadID="6928" /> > <Channel>System</Channel> > <Computer>PRE01SVBMD01.mydomain.at</Computer> > <Security UserID="S-1-5-18" /> > </System> > <EventData> > <Data > Name="Target">ldap/pre01svdeb02.mydomain.at/mydomain.at at mydomain.AT</Data>> </EventData> > </Event> > > > That fits your ldap.conf/LDAP suggestion, right? > > > > off for lunch now, checking back in ~2 hrs ... hopefully happier then > > thanks! > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Stefan G. Weichinger
2019-Jul-31 08:32 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Am 26.07.19 um 12:09 schrieb L.P.H. van Belle via samba:> One more i found is : > http://www.edugeek.net/forums/windows-7/145171-event-id-1053-group-policy.html > But i dont expect that to be your problem, just do checkit.unfortunately I don't get the screenshot there Wouldn't the ACLs set by your script be enough/correct? ;-)
L.P.H. van Belle
2019-Jul-31 08:47 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Hai Stefan,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: woensdag 31 juli 2019 10:32 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO issues - getting SYSVOL cleaned up again > > Am 26.07.19 um 12:09 schrieb L.P.H. van Belle via samba: > > One more i found is : > > > http://www.edugeek.net/forums/windows-7/145171-event-id-1053-g > roup-policy.html > > But i dont expect that to be your problem, just do checkit. > > unfortunately I don't get the screenshot there > > Wouldn't the ACLs set by your script be enough/correct? ;-)Yes, my script is correct, that is verified/based with a windows 2008R2 setup. But only the default rights are checked. Default share rights ( everyone full control ) and Default security (folder) rights. You can make numeros changes as long as you have set the correct rights and understand why and how these rights are used. And since no AD Domain is setup the same or used the same, a few small things might still be a bit different. I pointed to that link becuase of the last message.>> The OU the users were in required read permissions on the Authenticated Users security group!Im guyessing this is what your problem is, i just dont know where in your AD. Greetz, Louis
Stefan G. Weichinger
2019-Jul-31 09:08 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Am 31.07.19 um 10:47 schrieb L.P.H. van Belle via samba:> I pointed to that link becuase of the last message. >>> The OU the users were in required read permissions on the Authenticated Users security group! > Im guyessing this is what your problem is, i just dont know where in your AD.OK, that might be the case. So the step is "add/check ACLs on the SYSVOL-share for the OU of the users" ? Observation right now: on the W2008R2 server the GPOs apply now! on a w10 (per RDP) not - I definitely don't have the latest ADMX-files up on the DCs ... hesitating not to break more stuff
L.P.H. van Belle
2019-Jul-31 09:45 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
> Am 31.07.19 um 10:47 schrieb L.P.H. van Belle via samba: > > > I pointed to that link becuase of the last message. > >>> The OU the users were in required read permissions on the > Authenticated Users security group! > > Im guyessing this is what your problem is, i just dont know > where in your AD. > > OK, that might be the case. > > So the step is "add/check ACLs on the SYSVOL-share for the OU of the > users" ? > > Observation right now: > > on the W2008R2 server the GPOs apply now! > > on a w10 (per RDP) notIm guessing your missing something like this. Quote from site http://www.mustbegeek.com/how-to-enable-gpo-loopback-processing/ GPO loopback processing is a mechanism that allows user policy to takes effect only on certain computers. Normally, user policy is linked to the user OU and will be applied regardless of which computer the user is signed in. However in this case, user policy is linked to the computer OU and will not takes effect to the user when signed in to computers outside this OU> > - > > I definitely don't have the latest ADMX-files up on the DCs ... > hesitating not to break more stuff >Just backup the complete sysvol folder, and put the latest ADMX in the sysvol. Greetz, Louis