[Samba] GPO Security Filtering "Access Denied"

L.P.H. van Belle belle at bazuin.nl
Tue Dec 20 10:20:00 UTC 2016

To fix the rights problem, these are the steps i always follow, since it works for me. 

I logged in as DOMAIN\Adminstrator on a windows pc. 

Now backup sysvol, copy the "internal.domain.tld" folder in sysvol to your pc. 
2) Delete the "internal.domain.tld" folder in sysvol on the DC.  
3) login into linux, run samba-tools ntacl sysvolreset
4) Goto the sysvol folder and run : getfacl sysvol > /tmp/sysvol.acl 
5) copy the "internal.domain.tld" from the pc back to sysvol 
6) restore the sysvol.acl over the complete setup, run : 
   setfacl -R -b --modify-file /tmp/sysvol.acl /Path_to/sysvol
7) run samba-tool ntacl sysvolcheck. You should be error free now. 
8) Almost there, goto the windows GPO editor, klik once on every GPO object, used or not. You mights get a message about incorrect rights, just klik ok to fix and its done. 

This works every time for me if i get GPO errors.

Also all the USER GPO settings are applied by the computer accounts. 
you need always one of these: "authenticated users" "Domain Computers"
! always ! 

Best regards, 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Miguel Medalha
> via samba
> Verzonden: dinsdag 20 december 2016 0:36
> Aan: Alex Crow
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO Security Filtering "Access Denied"
> >> I think the ACL list on XFS (installed with Centos7) is too large and
> it
> >> can't store the additional ACLs. Hopefully that is it, and even if it
> >> isn't, thanks chaps for letting me think aloud, it often helps to
> bounce
> >> ideas off others to eliminate other possible issues.
> >> Sadly this probably means a reformat... grrr.
> Isn't that a bit too drastic? I have two DCs here, both working on XFS,
> one with CentOS 6 and the other with CentOS 7. I have lots of GPOs and
> complex ACLs and never found a limit with ACLs.
> If I remember correctly, XFS can accommodate 64kB of Extended Attributes.
> Did you try "samba-tool ntacl sysvolreset" ?
> As I told you before, I once met the same problem you now have and I was
> able to solve it, I don't exactly remember how but I think it was related
> to the issue I referred to in previous posts.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list