我正在使用 Samba4 域控制器,在加入域的机器上我看到此消息:
The processing of Group Policy failed. Windows attempted to read the file \\mydomain.org\sysvol\mydomain.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
运行 gpupdate 会出现同样的错误。如果我打开运行框并输入notepad \\mydomain.org\sysvol\mydomain.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini,就会打开记事本,其中包含该文件。内容如下:
[General]
Version=14
显然该文件存在,并且可以访问(无论如何,域管理员都可以访问)。 mydomain.org 名称解析为我的域控制器的 IP 地址。如果我运行GPRESULT /H GPReport.html,生成的文件显示:
Group Policy Infrastructure failed due to the error listed below.
Access is denied.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
我已经通过 smbcacls 检查了 sysvol 共享下的域文件夹上的 ACL,并得到了以下输出:
pi@dc-rpi1 ~ $ smbcacls //mydomain.org/sysvol mydomain.org -U [email protected]
Enter [email protected]'s password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:MYDOMAIN\Administrator
GROUP:BUILTIN\Administrators
ACL:BUILTIN\Administrators:ALLOWED/OI|CI/FULL
ACL:BUILTIN\Server Operators:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
如果我尝试获取 gpt.ini 文件本身的 ACL,我会得到以下信息:
pi@dc-rpi1 ~ $ smbcacls //mydomain.org/sysvol mydomain.org/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/gpt.ini -U [email protected]
Enter [email protected]'s password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:MYDOMAIN\Domain Admins
GROUP:MYDOMAIN\Domain Admins
ACL:MYDOMAIN\Domain Admins:ALLOWED/OI|CI/FULL
ACL:MYDOMAIN\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:MYDOMAIN\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\ServerLogon:ALLOWED/OI|CI/READ
为什么组策略处理不起作用?ACL 不起作用是因为我的 DC 没有运行正确的文件系统,还是其他一些不明显的配置问题?
答案1
我运行了samba-tool ntacl sysvolreset,花了几秒钟,然后重新运行了该smbcacls命令。输出没有改变,但 gpupdate 不再失败。呵呵。
答案2
我之前在 Samab4 和 Windows 的混合域中遇到过这种情况。至少就我而言,问题最终是域控制器之间的 sysvol 共享不同步。就我而言,我的同步脚本已停止工作,一个域控制器有 GPO,而另一个没有。我修复了同步问题,一切恢复正常。
希望这对某人有帮助。