Starting with Samba version 4.20.0, when using the Group Policy Management app included with Windows RSAT, under "Delegation", it is not possible to set "Apply group policy" to more than one group, because the app silently quits immediately. When executed again, the app presents "The specified server cannot perform the requested operation". After a "samba-tool ntacl sysvolreset", this message disappears but the recently created Group Policy Object is corrupt and delegation of permissions cannot be performed, with the error "The security ID structure is invalid". The only solution is to delete the newly created Group Policy Object. It is thus impossible to create Group Policy Objects applicable to more than one group, which pretty much makes GPOs way less useful. The same issue is still present in versions 4.21.0 and 4.21.1. Reverting to Samba 4.19.8 solves the issue and GPOs work correctly again. I classified this bug as critical because it is critical for our use. GPOs are one of the most useful features of an AD environment, being indispensable in many cases. Our Samba AD servers are running on AlmaLinux 9.4. Best regards and thank you.
seems to be a problem of your samba installation, I can't reproduce this, tested with sernet samba+ 4.20.5 here...
ah, setting the "Apply group policy" *permission* for delegated group shows the problem that you describe, okay I can confirm that fails here, too.