GPOs containing GPWL (Wireless/Wired Protocol Extension) policies can not be deleted with samba-tool. This is due to GPWL storing policy objects inside LDAP under the GPO entry (e.g. "CN=IEEE8023, CN=Windows, CN=Microsoft, [GPO DN]" or "CN=IEEE80211, CN=Windows, CN=Microsoft, [GPO DN]" or "CN=Wireless, CN=Windows, CN=Microsoft, [GPO DN]") which leads to: ERROR(ldb): uncaught exception - LDAP error 66 LDAP_NOT_ALLOWED_ON_NON_LEAF - <00002015: subtree_delete: Unable to delete a non-leaf node (it has 1 children)!> <> File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 1784, in run self.samdb.delete(ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))) Additionally if the "CN=User" GPO subentry is successfully deleted but "CN=Machine" is not one will not be able to retry the delete operation with samba-tool since the "CN=User" entry is already deleted.
This bug was referenced in samba master: bb12f19e4fe100029c32bdab92aa6515be7e71f6