[Samba] Access denied on GPO after "ntacl sysvolreset"
Klaas TJEBBES
klaas.tjebbes at region-academique-bourgogne-franche-comte.fr
Tue Apr 8 16:11:55 UTC 2025
Hello.
samba --version
Version 4.19.5-Ubuntu
Samba as Active Directory controller.
2 scenarios.
# First scenario :
* On a Windows client, from RSAT, I create a new GPO named "firstgpo".
* Still in RSAT, I then create a second GPO "scndgpo" with some
parameters that I backup (right clic on the GPO => Backup...).
* Then I right clic on "firstgpo" and select "Import parameters...". I
select the backup previously made.
Parameters are correctly imported from "scndgpo" to "firstgpo". So far
so good.
Here is the problem, after running :
samba-tool ntacl sysvolreset
I can no longer "Import parameters". I get "Access denied" :
"""
[Error] The task cannot be completed. An error occurred with the
[Registry] extension. Unable to access the file
[\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791-A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
The following error occurred:
Access denied.
"""
# Second scenario :
* I use :
samba-tool gpo backup
to backup an existing GPO.
* From RSAT I delete this GPO.
* I run :
samba-tool gpo restore
to restore from the backup I just made.
* At that moments :
samba-tool ntacl sysvolcheck
returns nothing, says that ACLs on sysvol are correct.
On a Windows client, from RSAT, I try to modify this GPO : right clic on
the GPO, "Edit..." and configure some settings. I get an error : "Access
denied. HRESULT : 0x80070005 (E_ACCESSDENIED)".
But, after running :
samba-tool ntacl sysvolreset
I can again modify the restored GPO without error. But at that moment
I'm encountering the problem of the first scenario.
What is the problem ? Is this a bug ?
Kind regards,
Klaas
More information about the samba
mailing list