Bug 10887 - Only built-in administrator account can create or modify GPOs
Summary: Only built-in administrator account can create or modify GPOs
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.6
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-10-20 15:39 UTC by justinb
Modified: 2021-12-07 22:46 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description justinb 2014-10-20 15:39:41 UTC
After any fresh installation of samba Version 4.1.6-Ubuntu from the default Ubuntu server 14.04 repositories, group policy objects have been made unmodifiable and uncreatable by anyone but the built-in administrative account. This happens usually within 24 hours and does not have any system event which seems to trigger it.

The accounts/groups in question have full control within the sysvol folder all the way to the individual policy folders within the NT permissions. Use of samba-tool ntacl sysvolreset does not help the issue. In fact, it maps ownership to a non-existent group (3000008) within the installation. Giving specific POSIX permissions/ownership does not help either. Even full 777 permission sets do not allow the GPO to be created or modified. The users/groups in question can create and modify files within the Policies folder so long as they are not a GPO. Any attempt to create an GPO gives an access denied error. Modifying a GPO as anyone other than the built-in administrative account causes an unhandled exception and corrupts the policy.
Comment 1 Björn Jacke 2021-12-07 22:46:00 UTC
really looks like a broken setup, this is not a gerneric samba bug.