我正在使用Samba4域控制器,并在join域的机器上看到这条消息:
The processing of Group Policy failed. Windows attempted to read the file \\mydomain.org\sysvol\mydomain.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. 运行gpupdate给了我同样的错误。 如果我打开运行框并键入notepad \\mydomain.org\sysvol\mydomain.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini ,我得到记事本打开与其中的文件。 内容是这些:
[General] Version=14
显然这个文件是存在的,并且可以被域pipe理员访问(无论如何)。 mydomain.org名称将转换为我的域控制器的IP地址。 如果我运行GPRESULT /H GPReport.html ,结果文件说:
Group Policy Infrastructure failed due to the error listed below. Access is denied. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
我已经通过sysvol共享下的域文件夹中的smbcacls检查了ACL,并得到了以下输出:
pi@dc-rpi1 ~ $ smbcacls //mydomain.org/sysvol mydomain.org -U [email protected] Enter [email protected]'s password: REVISION:1 CONTROL:SR|PD|DP OWNER:MYDOMAIN\Administrator GROUP:BUILTIN\Administrators ACL:BUILTIN\Administrators:ALLOWED/OI|CI/FULL ACL:BUILTIN\Server Operators:ALLOWED/OI|CI/READ ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
如果我试图获取gpt.ini文件本身的ACL,我得到这个:
pi@dc-rpi1 ~ $ smbcacls //mydomain.org/sysvol mydomain.org/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/gpt.ini -U [email protected] Enter [email protected]'s password: REVISION:1 CONTROL:SR|PD|DP OWNER:MYDOMAIN\Domain Admins GROUP:MYDOMAIN\Domain Admins ACL:MYDOMAIN\Domain Admins:ALLOWED/OI|CI/FULL ACL:MYDOMAIN\Enterprise Admins:ALLOWED/OI|CI/FULL ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL ACL:MYDOMAIN\Domain Admins:ALLOWED/OI|CI/FULL ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ ACL:NT AUTHORITY\ServerLogon:ALLOWED/OI|CI/READ
为什么组策略处理不工作? ACL是不工作的,因为我的DC没有运行正确的文件系统,或其他一些模糊的configuration问题?
我运行了几秒钟的samba-tool ntacl sysvolreset ,然后重新运行了smbcacls命令。 输出没有改变,但gpupdate不再失败。 呵呵。
我之前在Samab4和Windows的混合域上遇到过这个问题。 至less在我的情况下,问题最终导致了sysvol共享在域控制器之间不同步。 在我的情况下,我的同步脚本已停止工作,一个域控制器有GPO的另一个没有。 我解决了同步问题,一切恢复正常。
希望这有助于某人。