Group Policy Errors for Win7 clients

UCS - Univention Corporate Server
#1

I’ve recently added some Win7 clients to our network and they’re having problems picking up group policy objects.

The samba sysvol folder on the UCS DC shows two domain subfolders - one in lowercase, and one in uppercase. I’m out of my depth here - but that doesn’t seem correct to me.
Both folders have the same permissions (770 Administrator Administrators) and the same time stamp.

Group policy management console on a workstation shows the policies are referenced to the lower case folder, but the policies are stored in the upper case folder. I can browse to both folders on the Win7 client, but can only see one policy (same GUID in both folders).

sysvol folder:

drwxrwx---+ 4 Administrator Administrators 4096 Jun 22 13:07 domain.local
drwxrwx---+ 5 Administrator Administrators 4096 Jun 22 13:07 DOMAIN.local

Group policy management console error message:

Could not find file '\\ucsdc.domain.local\SysVol\domain.local\Policies\{60F3E2F8-F8B6-4BE9-8743-08CF3BAFCDD9}\User\Preferences\Drives\drives.xml'

So a couple of queries -

  • Should there be upper and lower case domain name folders in sysvol? Which is correct?
  • are the permissions correct for those folders if the client cannot see their contents?

Thanks for any assistance.
Tom

#2

Hello,

Regarding the permissions - the sysvol should look like this:

root@master401:~# testparm -vs 2>/dev/null | grep -A 5 ‘^[sysvol]’
[sysvol]
path = /var/lib/samba/sysvol
read only = No
case sensitive = No
acl xattr update mtime = Yes

root@master401:~#

You could copy the different GPOs in one directory and link them as a workaround but it looks strange to have those different directories.
Did this help?

Kind regards,
Jens Thorp-Hansen

#3

Hi Jens

Thanks for the response. My samba permissions match yours exactly, indicating its not a permissions problem. So likely related to the upper/lower case sysvol folders.

I still cant work out where they’ve come from - especially if samba is not case sensitive. They’re definitely system generated, I just can’t work out which system!

Is there a way to see which machines are accessing which folder from the server logs? (Or from the Windows logs I guess)

Thanks very much
Tom

root@ucsdc:~# testparm -vs 2>/dev/null | grep -A 5 '^\[sysvol\]' [sysvol] path = /var/lib/samba/sysvol read only = No case sensitive = No acl xattr update mtime = Yes

#4

The sysvol folder is created by the machine itself, so you would not see which client (if a client triggered the sysvol folder) “created” it. My gut feeling says the windows machines are the culprit here, but I cannot say for sure. There is AFAIK no specific access log “out-of-the-box” (entries can be found in the samba log and others that log access to sysvol relevant tasks - how deep depends on the log level), though you can AFAIK activate folder auditing in windows for specific folders. That only yields information from this point on onward.

Regards,
Jens Thorp-Hansen

Mastodon