Samba AD: GPO with empty or null DACL

Thomas A. Reim reimth at
Wed Jan 3 17:25:32 UTC 2018

Dear all,

I would appreciate your support for managing the DACL of group policy 
objects on a Samba AD DC.

For testing purposes I need to modify the DACL of an existing GPO to be:

1. Empty DACL


Up to now I have not been able to find a way to accomplish this task. 
Microsoft RSAT tools allow to empty the DACL, but the empty DACL is not 
stored in the directory.

Command line tools on the Samba DC (ldapmodify, ldbedit) accept an empty 
DACL, but do not store it in the directory, either. Instead the current 
DACL is kept unchanged.

Is there a feasible way to get these special DACLs stored in the directory?

More information about the samba-technical mailing list