Created attachment 18253 [details] Account Uknonwn ACE of missing groups Provisioning does not create the Enterprise Key Admins, Key Admins, Cloneable Domain Controllers group. The groups are missing from the ./source4/setup/provision_users.ldif file. However it does create ACLs for those groups which results is "Account Unknown" ACEs (cf. screen capture). root@srvads1:~# samba-tool group list Read-only Domain Controllers Domain Guests RAS and IAS Servers Performance Monitor Users Domain Users Distributed COM Users Print Operators Performance Log Users Domain Admins Account Operators Denied RODC Password Replication Group DnsUpdateProxy Enterprise Read-only Domain Controllers Certificate Service DCOM Access Replicator Terminal Server License Servers Pre-Windows 2000 Compatible Access Domain Computers Incoming Forest Trust Builders Event Log Readers Server Operators DnsAdmins Protected Users Enterprise Admins Allowed RODC Password Replication Group Cryptographic Operators Guests Network Configuration Operators Schema Admins Windows Authorization Access Group Users Group Policy Creator Owners Cert Publishers Backup Operators Administrators IIS_IUSRS Remote Desktop Users Domain Controllers