On Mon, 21 Oct 2024 17:01:36 +0200
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> hi all,
>
> I am maybe in the situation described here:
> https://wiki.samba.org/index.php/Sysvolreset).
>
> The admins domains groups has indeed a gidNumber and alas I run a
>
> ./bin/samba-tool ntacl sysvolcheck
>
> What's more in my situation is that when I access the sysvol from the
> windows side (runas /user:administrator computer management ->
> connect to server -> system -> shares -> sysvol), as soon as I
clic
> on the 'security' tab, the commandlet cashes.
>
> The sysvol folder still serves correctly the group policies, the
> administrator can edit them, but all other user who used to manage
> them are now forbidden.
>
> I already run the samba-check-set-sysvol.sh script, from the linux
> side the acl look fine (they are incomplete, but I know that I need
> to grand the privileges from the windows side, whom I can't reach).
>
> I didn't find any piece of useful information about the 'computer
> management' crash in event viewer or in samba logs.
>
> What am I missing?
>
It is not so much what you are missing, it is probably what you have
got ;-)
The situation hasn't changed, Domain Admins still needs to own things
in sysvol and cannot if it has a gidNumber attribute, so remove it and
run 'net cache flush' everywhere on Unix land.
If you must have a Domain Admins type group on Unix, then create one in
AD, give that a gidNumber attribute and join it to Administrators.
Rowland