The Samba-Bugzilla – Bug 10887
Only built-in administrator account can create or modify GPOs
Last modified: 2015-07-31 08:35:28 UTC
After any fresh installation of samba Version 4.1.6-Ubuntu from the default Ubuntu server 14.04 repositories, group policy objects have been made unmodifiable and uncreatable by anyone but the built-in administrative account. This happens usually within 24 hours and does not have any system event which seems to trigger it.
The accounts/groups in question have full control within the sysvol folder all the way to the individual policy folders within the NT permissions. Use of samba-tool ntacl sysvolreset does not help the issue. In fact, it maps ownership to a non-existent group (3000008) within the installation. Giving specific POSIX permissions/ownership does not help either. Even full 777 permission sets do not allow the GPO to be created or modified. The users/groups in question can create and modify files within the Policies folder so long as they are not a GPO. Any attempt to create an GPO gives an access denied error. Modifying a GPO as anyone other than the built-in administrative account causes an unhandled exception and corrupts the policy.