[Samba] Access Denied when creating a GPO with any other domain admins than administrator
antoine.vacher at tigre-bleu.net
Thu May 16 08:41:29 MDT 2013
I did that but it doesn't change the issue.
----- Mail original -----
De: "steve" <steve at steve-ss.com>
À: samba at lists.samba.org
Envoyé: Jeudi 16 Mai 2013 10:15:06
Objet: Re: [Samba] Access Denied when creating a GPO with any other domain admins than administrator
On 14/05/13 18:40, Antoine Vacher wrote:
> I have a strange issue with Samba 4 as an AD DC regarding GPO creation.
> I use the following packages on Debian wheezy:
> dpkg -l | grep samba
> ii libsamba-credentials0:i386 4.0.0+dfsg1-1 i386 Samba Credentials management library
> ii libsamba-hostconfig0:i386 4.0.0+dfsg1-1 i386 Samba host configuration library
> ii libsamba-policy0:i386 4.0.0+dfsg1-1 i386 Samba policy management
> ii libsamba-util0:i386 4.0.0+dfsg1-1 i386 Samba utility function library
> ii python-samba 4.0.0+dfsg1-1 i386 Python bindings for Samba
> rc samba 2:3.6.6-3 i386 SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:3.6.10-1 all common files used by both the Samba server and client
> ii samba-common-bin 2:3.6.10-1 i386 common files used by both the Samba server and client
> ii samba-dsdb-modules 4.0.0+dfsg1-1 i386 Samba Directory Services Database
> ii samba4 4.0.0+dfsg1-1 i386 SMB/CIFS file, NT domain and active directory server (version 4)
> ii samba4-clients 4.0.0+dfsg1-1 i386 client utilities from Samba 4
> ii samba4-common-bin 4.0.0+dfsg1-1 i386 Samba 4 common files used by both the server and the client
> I created an administrative account called "admin-domain" which is member of the following groups:
> - Administrators
> - Domain Admins
> - Domain Users
> - Group Policy Creator Owners
> If I logon with the "administrator" account, then there is no problem to create a new GPO with the group policy management application from the windows 8 client.
> However, if I logon with the "admin-domain" account, is is not possible to create a GPO. The error given is "Access Denied"
> I checked and there is no problem for "admin-domain" to write in the sysvol share.
> For me being member of Domain Admins and writing to sysvol rights shall be enough to write a GPO.
> Apart from that, the GPO are correctly applied and I see no other issue.
> I am sure missing something, but I can't figure out what...
> Thanks for your help.
A quick check, try running:
samba-tool ntacl sysvolreset
To unsubscribe from this list go to the following URL and read the
More information about the samba