[Samba] Rebuid the Corrupt default Group Policy

Anantha Raghava raghav at exzatechconsulting.com
Thu Jul 13 13:26:18 UTC 2017

Hello Rowland,

The bash script you shared does not work. It doesn't reset the ACLs as 
expected. Finally, I copied the default policies to the Domain 
Controller SYSVOL folder and manually set the permissions and Windows 
RSAT accepted those changes and it started working properly.


Thanks & Regards,

Anantha Raghava

Do not print this e-mail unless required. Save Paper & trees.
On 07/07/17 2:39 PM, Rowland Penny wrote:
> On Fri, 7 Jul 2017 05:29:30 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>> Hello Marc,
>>> Hi Anantha,
>>> Am 06.07.2017 um 10:02 schrieb Anantha Raghava via samba:
>>>> Is there any way we can rebuild corrupt Default Domain Policy and
>>>> Default Domain Controller Policy.
>>> What is broken?
>> Entire Default Domain and Default Domain Controller Policies along
>> with other Polices that we had built are broken.
> I have written a bash script that should do what you need and I have
> attached a copy. I haven't tested it (never had need to), but it
> should work, it is just a bash interpretation of the python code used
> during provision.
> It was written on Devuan (Debian without systemd), so if you are using
> some other OS, or have moved sysvol (not a good idea), then you may
> need to tweak it.
>>>> In windows AD we can use dcgpofix utility to recreate the Default
>>>> Domain and Domain Controller Policies. Something similar available
>>>> in Samba AD DC?
>>> You can recover the files from your backup and to reset
>>> Sysvol/directory ACLs, run
>>> # samba-tool ntacl sysvolreset
>> I believe, samba-tool ntacl sysvolreset does not function the manner
>> in which it is supposed to. I have seen many discussions on this.
> The problem with sysvolreset isn't so much with the default policies,
> it is with any extra policies you might add, this is further compounded
> by giving 'Domain Admins' a gidNumber. 'Domain Admins' needs to own
> directories in the extra policies added, it cannot do this if it has a
> gidNumber, this is because it is then only a group and a group in Unix
> cannot own anything.
> In your case, after you have recreated sysvol, I would run sysvolreset,
> then add your other policies and then never run sysvolrest again.
> Rowland

More information about the samba mailing list