I am trying to create a GPO as a user in "Group Policy Creator Owners": samba-tool gpo create 'testgpo' --user=gpo_manager --password=<password> Using temporary directory /tmp/tmp_a869azf (use --tmpdir to change) ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <acl: unable to get access to CN={B4C8AF24-50C5-400C-B823-4AF8727AD8E6},CN=Policies,CN=System,DC=composers,DC=lan > <> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 1244, in run self.samdb.add(m) As a result the GPO is not created on the filesystem nor in ldap. The doc here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)#delegating-creation-of-gpos states: " The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only members of the Domain Admins, Enterprise Admins, Group Policy Creator Owners, and SYSTEM groups can create new GPOs. " The permissions provided by the group "Group Policy Creator Owners" should be enough to create and manage GPOs. Using a user in this group prevents the need to use a domain-admin and is therefore IMHO a big security win. This is even more important when managing the GPO (after creation with samba-tool) on a Windows client. When created by a domain-admin, it must be managed on Windows by a domain-admin, whereas otherwise an ordinary user member of "Group Policy Creator Owners" can be used. I would say a huge security gain and reason to make samba-tool work for users in "Group Policy Creator Owners".