[Samba] GPO Editor says "Access denied" for Group Policy Objects

Rowland Penny rpenny at samba.org
Thu May 2 11:00:20 UTC 2024 

On Thu, 2 May 2024 12:07:13 +0200
Jakob Curdes via samba <samba at lists.samba.org> wrote:

> Hello all, to return to the original topic:
> 
> My original problem was that I could not edit GP objects with the GP 
> Editor, even as Domain admin. I always got "access denied". A 
> sysvolcheck returned no errors and the Windows "Security" tab for the 
> object in question on the sysvol share looked correct.
> 
> I now found out that the group id of the sysvol folder (and
> everything below) was 3000000, while the "Administrators" group has
> the group ID 3000002. I corrected the group ID assigned to the sysvol
> folder on both DCs and now I can edit the GP objects with the GPO
> editor.

The permissions set on the sysvol directory are:
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)

Which in a more readable form is:
Owner:LOCAL_ADMIN Group:BUILTIN_ADMINISTRATORS D:P(Allow;Full
control;;;BUILTIN_ADMINISTRATORS)(Allow;Read and
Execute,Inherited;;;SERVER_OPERATORS)(Allow;Full
control;;;LOCAL_SYSTEM)(Allow;Read and
Execute,Inherited;;;_AUTHENTICATED_USERS)

Now all that depends on the various users and groups having the same ID
on every DC, the problem with that is, you cannot depend on every DC
giving the same IDs to users and groups, they are handed out on a
'first come' basis. This is why you need to sync idmap.ldb from one DC
(usually the one holding the PDC_Emulator FSMO role) to all others.
 
> 
> I still do not understand why on my DCs "getent group" and "getent
> user" do not return the Windows groups and users, but that is
> probably a cosmetic thing as you can get all info via wbinfo and
> samba-tool. Just for this case here it would then also display the
> group ownership of the sysvol folder. I have "winbind" in nsswitch
> .conf and no other special settings, on other similar DCs getent
> group returns the groups, not sure why it is not working here, but
> perhaps not important enough to invest more time.

If you run 'getent group' and get no result, try:
getent group Domain\ Users

Does this return output ? If it doesn't, check that you have the
correct libnss winbind links installed and that /etc/nsswitch.conf is
setup correctly.

Rowland

More information about the samba mailing list