[Samba] GPO fail and sysvol perm errors

[Sonic]

On Sun, Oct 25, 2020 at 2:38 PM Rowland penny via samba
<samba at lists.samba.org> wrote:
> So '5035' is a computer, but what is '3000011' ?
> You can find out by running this on the DC:
> ldbsearch -H /path/to/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000011))'
===================================
# ldbsearch -H /usr/local/samba/private/idmap.ldb
'(&(objectClass=sidMap)(xidNumber=3000011))'
# record 1
dn: CN=S-1-5-21-546846319-217595157-9522986-1328
cn: S-1-5-21-546846319-217595157-9522986-1328
objectClass: sidMap
objectSid: S-1-5-21-546846319-217595157-9522986-1328
type: ID_TYPE_BOTH
xidNumber: 3000011
distinguishedName: CN=S-1-5-21-546846319-217595157-9522986-1328

# returned 1 records
# 1 entries
# 0 referrals
===================================
S-1-5-21-546846319-217595157-9522986-1328 is the sid of the Windows 10
pro client I'm using to manage the domain.
===================================
> Once you find out that, you should then be able to find out why the two
> are being denied access, by examining the permissions on sysvol.

Permissions on sysvol are:
drwxrwx---+ 4 root 3000000

Compared with another domains DC (which has no GPO issues):
drwxrws---+ 1 root 3000000

Looks like sgid is set on one and not the other. I have not touched
those permissions. If sgid is needed shouldn't the classic upgrade
have handled that?
Should I add the sgid to sysvol and it's subdirectories (that's how it
is on the working domain) or is this just a difference in the two
releases (the working domain is running 4.10.16)?

Chris