Samba AD: GPO with empty or null DACL
Thomas A. Reim
reimth at gmail.com
Wed Jan 3 17:25:32 UTC 2018
I would appreciate your support for managing the DACL of group policy
objects on a Samba AD DC.
For testing purposes I need to modify the DACL of an existing GPO to be:
1. Empty DACL
2. NULL DACL
Up to now I have not been able to find a way to accomplish this task.
Microsoft RSAT tools allow to empty the DACL, but the empty DACL is not
stored in the directory.
Command line tools on the Samba DC (ldapmodify, ldbedit) accept an empty
DACL, but do not store it in the directory, either. Instead the current
DACL is kept unchanged.
Is there a feasible way to get these special DACLs stored in the directory?
More information about the samba-technical