Bug 14972 - User member of default AD-group "Group Policy Creator Owners" cannot GPOs with samba-tool
Summary: User member of default AD-group "Group Policy Creator Owners" cannot GPOs wit...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2022-02-09 09:14 UTC by keesvanvloten
Modified: 2022-08-04 04:14 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description keesvanvloten 2022-02-09 09:14:09 UTC
I am trying to create a GPO as a user in  "Group Policy Creator Owners":

samba-tool gpo create 'testgpo' --user=gpo_manager --password=<password>
Using temporary directory /tmp/tmp_a869azf (use --tmpdir to change)
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <acl: unable to get access to CN={B4C8AF24-50C5-400C-B823-4AF8727AD8E6},CN=Policies,CN=System,DC=composers,DC=lan
> <>
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 1244, in run

As a result the GPO is not created on the filesystem nor in ldap.
The doc here: 

The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only members of the Domain Admins, Enterprise Admins, Group Policy Creator Owners, and SYSTEM groups can create new GPOs.

The permissions provided by the group "Group Policy Creator Owners" should be enough to create and manage GPOs. 

Using a user in this group prevents the need to use a domain-admin and is therefore IMHO a big security win.
This is even more important when managing the GPO (after creation with samba-tool) on a Windows client. When created by a domain-admin, it must be managed on Windows by a domain-admin, whereas otherwise an ordinary user member of "Group Policy Creator Owners" can be used. 
I would say a huge security gain and reason to make samba-tool work for users in "Group Policy Creator Owners".