[Samba] samba-tool gpo create as user in "Group Policy Creator Owners" is missing permissions

Kees van Vloten keesvanvloten at gmail.com
Mon Feb 7 13:19:26 UTC 2022

Hi Team,

(On samba 4.15.5 on Bullseye from Louis' repo)
I am trying to create a GPO as a user in  "Group Policy Creator Owners":

samba-tool gpo create 'testgpo' --user=gpo_manager --password=<password>
Using temporary directory /tmp/tmp_a869azf (use --tmpdir to change)
ERROR(ldb): uncaught exception - LDAP error 50 
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <acl: unable to get access to 
 > <>
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 1244, 
in run

As a result the GPO is not created on the filesystem nor in ldap.

 From here: Microsoft - Delegating creation of GPOs 
I read:

The ability to create GPOs in a domain is a permission that is managed 
on a per-domain basis. By default, only members of the Domain Admins, 
Enterprise Admins, Group Policy Creator Owners, and SYSTEM groups can 
create new GPOs.

Is it not true that the permissions provided by membership of group 
"Group Policy Creator Owners" is sufficient to create GPOs on Samba?

- Kees

More information about the samba mailing list