SYSVOL ACLs, GPOs, other "Domain Admins" and root overrides for changing ownership and groups

Andrew Bartlett abartlet at
Tue Nov 13 16:07:43 MST 2012

I'm making some progress on the SYSVOL issue. 

I've reinstalled my domain locally, and clicking on "Default Domain
Policy" in GPMC I get the "inconsistent SYSVOL ACLs" error.  I also get
"access denied" when I try and fix them.

The changes I've made in my testing have been the reinstall, but also
that I'm now testing as a member of "Domain Admins", not

Part of the reason is quite clear:  The ACL calls from GPMC try to set
the ACL, chown and chgrp the file.  This is permitted by the NT ACL, but
not by posix, and Samba strictly honours POSIX in almost all cases.

This happens because the file is owned by a group - so nobody actually
has 'owner' rights on it. 

That covers set - but we also have errors on GET that might be simpler.
The GPMC client, over SMB2, asks for the DACL, but it isn't returned
(only user/group). I'll dig into this and send in traces if I can't find
why we get this wrong.  This appears to be the first issue folks have


This puts us between a rock and a very hard place at this point in the
release cycle.  I'm sorry to bring this up so late:  I've been so
focused on building up the testsuite from the ground up, reinforcing the
posix ACL layer etc, that I've totally missed the need for major work on
owner and group handling here.

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list