[Samba] Problem sysvolreset

Rowland Penny rpenny at samba.org
Tue Mar 7 15:51:35 UTC 2017

On Tue, 7 Mar 2017 12:23:59 -0300
Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org> wrote:

> # samba-tool gpo aclcheck -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR: Invalid GPO ACL
> O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> on path
> (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}),
> should be
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> This last error is happening to all my policies. After each police i
> repair, another one shows up with problem and i canĀ“t delete all
> policies and recreate to test.
> Thanks for your help!

Welcome to the wonderful world of SYSVOL on a Samba4 AD DC ;-)

Have you set a gidNumber for Domain Admins ?
If so remove it, Domain Admins needs to own files and dirs in sysvol
and if the group has a gidNumber it cannot.

  'O:LA' = owner: Local Administrator
  'O:DA' = owner: Domain Admins 
  'G:DA' = group: Domain Admins


More information about the samba mailing list