Bug 14972 - User member of default AD-group "Group Policy Creator Owners" cannot GPOs with samba-tool
Summary: User member of default AD-group "Group Policy Creator Owners" cannot GPOs wit...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-09 09:14 UTC by keesvanvloten
Modified: 2022-08-04 04:14 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description keesvanvloten 2022-02-09 09:14:09 UTC
I am trying to create a GPO as a user in  "Group Policy Creator Owners":

samba-tool gpo create 'testgpo' --user=gpo_manager --password=<password>
Using temporary directory /tmp/tmp_a869azf (use --tmpdir to change)
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <acl: unable to get access to CN={B4C8AF24-50C5-400C-B823-4AF8727AD8E6},CN=Policies,CN=System,DC=composers,DC=lan
> <>
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 1244, in run
    self.samdb.add(m)


As a result the GPO is not created on the filesystem nor in ldap.
The doc here: 
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)#delegating-creation-of-gpos
states:

"
The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only members of the Domain Admins, Enterprise Admins, Group Policy Creator Owners, and SYSTEM groups can create new GPOs.
"

The permissions provided by the group "Group Policy Creator Owners" should be enough to create and manage GPOs. 

Using a user in this group prevents the need to use a domain-admin and is therefore IMHO a big security win.
This is even more important when managing the GPO (after creation with samba-tool) on a Windows client. When created by a domain-admin, it must be managed on Windows by a domain-admin, whereas otherwise an ordinary user member of "Group Policy Creator Owners" can be used. 
I would say a huge security gain and reason to make samba-tool work for users in "Group Policy Creator Owners".