[Samba] Sysvol permission issue - how to repair permanently?

L.P.H. van Belle belle at bazuin.nl
Tue Apr 6 14:44:36 UTC 2021

Hai Rowland, 

Yes, im aware of that. 

Only, i use "BAG" not "DAG" 

Both are correct, just because DAG is member of BAG, no setup is the same. 

It's a good attempt for the sysvolcheck fix but its not 100%.. 
And yes, just, since i know it, i just dont run sysvolchecks normaly.. ;-)
but i also dont have problems with my policies, all applies as needed where needed. 

now looking at that below. 
> O:BAG:DUD  << thats the wrong won. DUD "Domain Users" .. ? 
rights are not correct, as simple as that. 

Should be 

so, im asuming this was en "user" with elevated rights that runned GPMC 
and created the policies, or a user which was added to "domain admins" which is a big NO NO.. 

The difference for me is, i only use Administrator or a new admin,copy off Administrator but with exact same rights. 

Not users with elevated rights are used for this. 

So i suggest to TP starter, read this : 

and apply it. 
Then run/get the SSDL of it.

if one does not have windows official server.. download on, install it in VM. Check the rights on sysvol. 

That i have, exacly what was on my W2008R2 server its sysvol. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via
> samba
> Verzonden: dinsdag 6 april 2021 12:12
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Sysvol permission issue - how to repair
> permanently?
> On 06/04/2021 10:42, L.P.H. van Belle via samba wrote:
> > root at dc1:~# samba-tool ntacl sysvolcheck
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> > - ProvisioningError: DB ACL on GPO
> > file /var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-
> > AD7A32DF180F}/Machine/Registry.pol
> >
> O:BAG:DUD:(A;;0x001d0156;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;
> >
> 0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)(A;;0x001200a9;;;D
> > A)
> > does not match expected value
> >
> O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x0
> >
> 01f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001
> > 200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)
> > from GPO object
> Hi Louis,
> The reason why you get that error is because you have given Domain
> Admins a gidNumber, this means that 'O:DA' can never happen. I have
> multiple GPO's in sysvol and this happens:
> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolreset
> pi at rpidc1:~ $ sudo samba-tool ntacl sysvolcheck
> pi at rpidc1:~ $
> Absolutely no errors, this is with Samba 4.14.2
> At one time 'samba-tool ntacl sysvol*' didn't work, I tried to fix this
> and came to the conclusion it was because Samba didn't know who some of
> the users and groups were (they couldn't be 'mapped') and some of the
> permissions were unknown as well. These problems have now been fixed and
> syvolreset and sysvolcheck now work correctly, provided users & groups
> can be mapped as Windows expects.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list