Since the upgrade from 4.16.5 to 4.17.X samba-tool gpo restore seems to work only with the built-in Administrator user. If I try any other user which is member of the same groups (Domain Users, Domain Admins, Schema Admins, Enterprise Admins, Group Policy Creator Owners, Administrators) I get the following error with this command ‘samba-tool gpo restore "Company(ReadOnly)" "$baseline_ro/CompanyReadOnly/policy" --tmpdir=/tmp –Utestadmin’: -- WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start. GPO 'Test(ReadOnly)' created as {93CD1083-E8EE-44B5-A481-CB0982C08BBB} WARNING: No such parser for comment.cmtx WARNING: Falling back to simple copy-restore. Traceback (most recent call last): File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 1674, in run copy_directory_local_to_remote(self.conn, self.gpodir, File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 382, in copy_directory_local_to_remote conn.savefile(r_name, data) samba.NTSTATUSError: (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.') (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.') Failed to restore GPO -- deleting... GPO {93CD1083-E8EE-44B5-A481-CB0982C08BBB} deleted. -- I already tried the following without any luck: 1. Different Samba versions; 4.18.X, 4.19.0, 4.17.X 2. New setup with Samba 4.19.0 3. Different user 4. Disable GPO removal in gpo.py to check permissions in the sysvol share a. The ‘testadmin’ user is able to create new folder inside policy directory with content, but has no write permissions inside User folder (e.g. \\54321.local\sysvol\54321.local\Policies\{444C009C-1638-40A0-924D-2D3AEC1FD9BE}\User) -> This is also the reason why gpo restore cmd fails If I revert the Samba version to 4.16.5 the gpo restore command works instantly. How can you reproduce this issue: 1. Deploy Samba Active Directory on Samba 4.17.x or newer 2. Create new AD user with the same groups as the built-in administrator 3. Configure one Group Policy Object with Windows and backup it with samba-tool gpo backup 4. Use samba-tool gpo restore –Utestadmin to restore your export