I am trying to create a GPO as a user in "Group Policy Creator Owners": samba-tool gpo create 'testgpo' --user=gpo_manager --password=<password> Using temporary directory /tmp/tmp_a869azf (use --tmpdir to change) ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <acl: unable to get access to CN={B4C8AF24-50C5-400C-B823-4AF8727AD8E6},CN=Policies,CN=System,DC=composers,DC=lan > <> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 1244, in run self.samdb.add(m) As a result the GPO is not created on the filesystem nor in ldap. The doc here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)#delegating-creation-of-gpos states: " The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only members of the Domain Admins, Enterprise Admins, Group Policy Creator Owners, and SYSTEM groups can create new GPOs. " The permissions provided by the group "Group Policy Creator Owners" should be enough to create and manage GPOs. Using a user in this group prevents the need to use a domain-admin and is therefore IMHO a big security win. This is even more important when managing the GPO (after creation with samba-tool) on a Windows client. When created by a domain-admin, it must be managed on Windows by a domain-admin, whereas otherwise an ordinary user member of "Group Policy Creator Owners" can be used. I would say a huge security gain and reason to make samba-tool work for users in "Group Policy Creator Owners".
What is needed is an addition of "Group Policy Creator Owners" to the GPO container in LDAP and to filesystem ACLs on the GPO directory. Somehow it looks like Samba has been setting these permissions quite differently and that does work. The below settings are created as a "Domain Admin" from a Windows 10 (21h2) machine. The filesystem ACLs have been slightly modified in order to have them as Posix-ACLs which much easier to manage (and more readable) from a Linux machine. BTW. "samba-tool ntacl sysvolreset" will remove these changes. If the Samba defaults are changed according the the specs here, then "samba-tool ntacl sysvolreset" should be changed accordingly. The filesystem ACLS on "/var/lib/samba/sysvol/example.com/Policies" when specified as Posix-ACLs should be changed to: ---------------------- # owner: root # group: BUILTIN\\administrators user::rwx user:NT Authority\\system:rwx user:NT Authority\\authenticated users:r-x user:EXAMPLE\\enterprise admins:rwx user:EXAMPLE\\group policy creator owners:rwx user:NT Authority\\enterprise domain controllers:r-x group::rwx group:NT Authority\\system:rwx group:NT Authority\\authenticated users:r-x group:EXAMPLE\\domain admins:rwx group:EXAMPLE\\enterprise admins:rwx group:EXAMPLE\\group policy creator owners:rwx group:NT Authority\\enterprise domain controllers:r-x mask::rwx other::--- default:user::rwx default:user:NT Authority\\system:rwx default:user:NT Authority\\authenticated users:r-x default:user:EXAMPLE\\domain admins:rwx default:user:EXAMPLE\\enterprise admins:rwx default:user:EXAMPLE\\group policy creator owners:rwx default:user:NT Authority\\enterprise domain controllers:r-x default:group::--- default:group:NT Authority\\system:rwx default:group:NT Authority\\authenticated users:r-x default:group:EXAMPLE\\domain admins:rwx default:group:EXAMPLE\\enterprise admins:rwx default:group:EXAMPLE\\group policy creator owners:rwx default:group:NT Authority\\enterprise domain controllers:r-x default:mask::rwx default:other::--- ---------------------- When specified as NT-ACLs it is probably slightly different, the important thing is that the group "Group Policy Creator Owners" has write permissions. The LDAP container DS-ACLs on "CN=Policies,CN=System,DC=example,DC=com" should be changed to: ---------------------- O:DAG:DAD:ARAI (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) (A;;RPLCLORC;;;AU) (OA;;CC;f30e3bc2-9ff0-11d1-b603-0000f80367c1;;PA) (OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED) (OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED) (OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED) (OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS) (A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA) (A;CIID;LC;;;RU) (A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA) S:AI (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) ----------------------