Bug 10887 - Only built-in administrator account can create or modify GPOs
Only built-in administrator account can create or modify GPOs
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.1.6
All Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-20 15:39 UTC by justinb
Modified: 2015-07-31 08:35 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description justinb 2014-10-20 15:39:41 UTC
After any fresh installation of samba Version 4.1.6-Ubuntu from the default Ubuntu server 14.04 repositories, group policy objects have been made unmodifiable and uncreatable by anyone but the built-in administrative account. This happens usually within 24 hours and does not have any system event which seems to trigger it.

The accounts/groups in question have full control within the sysvol folder all the way to the individual policy folders within the NT permissions. Use of samba-tool ntacl sysvolreset does not help the issue. In fact, it maps ownership to a non-existent group (3000008) within the installation. Giving specific POSIX permissions/ownership does not help either. Even full 777 permission sets do not allow the GPO to be created or modified. The users/groups in question can create and modify files within the Policies folder so long as they are not a GPO. Any attempt to create an GPO gives an access denied error. Modifying a GPO as anyone other than the built-in administrative account causes an unhandled exception and corrupts the policy.