[Samba] Access Denied when creating a GPO with any other domain admins than administrator

Antoine Vacher antoine.vacher at tigre-bleu.net
Thu May 16 08:41:29 MDT 2013 

Hi,

I did that but it doesn't change the issue.

thanks

----- Mail original -----
De: "steve" <steve at steve-ss.com>
À: samba at lists.samba.org
Envoyé: Jeudi 16 Mai 2013 10:15:06
Objet: Re: [Samba] Access Denied when creating a GPO with any other domain admins than administrator

On 14/05/13 18:40, Antoine Vacher wrote:
> Hello,
>
> I have a strange issue with Samba 4 as an AD DC regarding GPO creation.
>
> I use the following packages on Debian wheezy:
>
> dpkg -l | grep samba
> ii  libsamba-credentials0:i386           4.0.0+dfsg1-1                i386         Samba Credentials management library
> ii  libsamba-hostconfig0:i386            4.0.0+dfsg1-1                i386         Samba host configuration library
> ii  libsamba-policy0:i386                4.0.0+dfsg1-1                i386         Samba policy management
> ii  libsamba-util0:i386                  4.0.0+dfsg1-1                i386         Samba utility function library
> ii  python-samba                         4.0.0+dfsg1-1                i386         Python bindings for Samba
> rc  samba                                2:3.6.6-3                    i386         SMB/CIFS file, print, and login server for Unix
> ii  samba-common                         2:3.6.10-1                   all          common files used by both the Samba server and client
> ii  samba-common-bin                     2:3.6.10-1                   i386         common files used by both the Samba server and client
> ii  samba-dsdb-modules                   4.0.0+dfsg1-1                i386         Samba Directory Services Database
> ii  samba4                               4.0.0+dfsg1-1                i386         SMB/CIFS file, NT domain and active directory server (version 4)
> ii  samba4-clients                       4.0.0+dfsg1-1                i386         client utilities from Samba 4
> ii  samba4-common-bin                    4.0.0+dfsg1-1                i386         Samba 4 common files used by both the server and the client
>
> I created an administrative account called "admin-domain" which is member of the following groups:
> - Administrators
> - Domain Admins
> - Domain Users
> - Group Policy Creator Owners
>
> If I logon with the "administrator" account, then there is no problem to create a new GPO with the group policy management application from the windows 8 client.
> However, if I logon with the "admin-domain" account, is is not possible to create a GPO. The error given is "Access Denied"
>
> I checked and there is no problem for "admin-domain" to write in the sysvol share.
> For me being member of Domain Admins and writing to sysvol rights shall be enough to write a GPO.
>
> Apart from that, the GPO are correctly applied and I see no other issue.
> :

> I am sure missing something, but I can't figure out what...
>
> Thanks for your help.
>
> Antoine
>
Hi
A quick check, try running:
samba-tool ntacl sysvolreset


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list