Samba AD: GPO with empty or null DACL

Andrew Bartlett abartlet at
Sun Jan 7 21:17:54 UTC 2018

On Wed, 2018-01-03 at 18:25 +0100, Thomas A. Reim via samba-technical
> Dear all,
> I would appreciate your support for managing the DACL of group policy 
> objects on a Samba AD DC.
> For testing purposes I need to modify the DACL of an existing GPO to be:
> 1. Empty DACL
> Up to now I have not been able to find a way to accomplish this task. 
> Microsoft RSAT tools allow to empty the DACL, but the empty DACL is not 
> stored in the directory.
> Command line tools on the Samba DC (ldapmodify, ldbedit) accept an empty 
> DACL, but do not store it in the directory, either. Instead the current 
> DACL is kept unchanged.
> Is there a feasible way to get these special DACLs stored in the directory?

I'm not entirely sure what you want to do, but I will note that Samba
refuses to consider a totally missing ntSecurityDescriptor to be an
'allow all', and just refuses all operations instead.

	sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
	if (sd_element == NULL) {
				 "nTSecurityDescriptor is missing");

	if (sd_element->num_values != 1) {
		return ldb_operr(ldb);

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

More information about the samba-technical mailing list