Re: [Samba] Rebuid the Corrupt default Group Policy
- Date: Thu, 13 Jul 2017 18:56:18 +0530
- From: Anantha Raghava via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Rebuid the Corrupt default Group Policy
The bash script you shared does not work. It doesn't reset the ACLs as
expected. Finally, I copied the default policies to the Domain
Controller SYSVOL folder and manually set the permissions and Windows
RSAT accepted those changes and it started working properly.
Thanks & Regards,
Do not print this e-mail unless required. Save Paper & trees.
On 07/07/17 2:39 PM, Rowland Penny wrote:
On Fri, 7 Jul 2017 05:29:30 +0530
Anantha Raghava via samba <samba@xxxxxxxxxxxxxxx> wrote:
Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
Is there any way we can rebuild corrupt Default Domain Policy and
Default Domain Controller Policy.
What is broken?
Entire Default Domain and Default Domain Controller Policies along
with other Polices that we had built are broken.
I have written a bash script that should do what you need and I have
attached a copy. I haven't tested it (never had need to), but it
should work, it is just a bash interpretation of the python code used
It was written on Devuan (Debian without systemd), so if you are using
some other OS, or have moved sysvol (not a good idea), then you may
need to tweak it.
In windows AD we can use dcgpofix utility to recreate the Default
Domain and Domain Controller Policies. Something similar available
in Samba AD DC?
You can recover the files from your backup and to reset
Sysvol/directory ACLs, run
# samba-tool ntacl sysvolreset
I believe, samba-tool ntacl sysvolreset does not function the manner
in which it is supposed to. I have seen many discussions on this.
The problem with sysvolreset isn't so much with the default policies,
it is with any extra policies you might add, this is further compounded
by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own
directories in the extra policies added, it cannot do this if it has a
gidNumber, this is because it is then only a group and a group in Unix
cannot own anything.
In your case, after you have recreated sysvol, I would run sysvolreset,
then add your other policies and then never run sysvolrest again.
To unsubscribe from this list go to the following URL and read the