[Samba] Can't use samba-tool gpo restore command

Rowland penny rpenny at samba.org
Wed Jul 8 13:54:33 UTC 2020

On 08/07/2020 14:26, Csorba Róbert via samba wrote:
> Hi,
> After I successfully dumped the GPO policies on my working domain 
> controller I would like to reuse it on a different domain server, but 
> when I use the following command:
> samba-tool gpo restore B59E0B93-8226-40CA-A5C8-58A7AA1D139E 
> /var/tmp/samba_gpo/policy/\{B59E0B93-8226-40CA-A5C8-58A7AA1D139E\}
> I got this error message:
> Using temporary directory /tmp/tmpo7huf4c0 (use --tmpdir to change)
> ERROR(ldb): uncaught exception - LDAP error 50 
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <acl: unable to get access to 
> CN={76FFB9E4-B557-433E-B105-7F5C36AE54C1},CN=Policies,CN=System,DC=teszt,DC=darabanth,DC=pro
> > <>
>   File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py", 
> line 186, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 
> 1417, in run
>     credopts, versionopts)
>   File "/usr/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 
> 1239, in run
> Do you have any idea what cause the problem or I use the command 
> incorrectly?

I take it you are running the command as root or with sudo, if so, try 
adding '-U USERNAME' to the end of the command, where 'USERNAME' is a 
user with permission to change AD e.g. Administrator or a member of 
Domain Admins.


More information about the samba mailing list