[Samba] Access denied on GPO after "ntacl sysvolreset"

Luis Peromarta lperoma at icloud.com
Tue Apr 8 16:51:31 UTC 2025 

I think 4.19 is ageing now as we are on 4.22

This looks very much like a recently solved bug (can’t find it now I’m on phone). You need at least 4.21.4

Try updating and see it it fixes things
On 8 Apr 2025 at 17:28 +0100, Klaas TJEBBES via samba <samba at lists.samba.org>, wrote:
> Hello.
>
> samba --version
> Version 4.19.5-Ubuntu
>
> Samba as Active Directory controller.
>
> 2 scenarios.
>
>
> # First scenario :
>
> * On a Windows client, from RSAT, I create a new GPO named "firstgpo".
> * Still in RSAT, I then create a second GPO "scndgpo" with some
> parameters that I backup (right clic on the GPO => Backup...).
> * Then I right clic on "firstgpo" and select "Import parameters...". I
> select the backup previously made.
>
> Parameters are correctly imported from "scndgpo" to "firstgpo". So far
> so good.
>
> Here is the problem, after running :
> samba-tool ntacl sysvolreset
> I can no longer "Import parameters". I get "Access denied" :
>
> """
> [Error] The task cannot be completed. An error occurred with the
> [Registry] extension. Unable to access the file
> [\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791-A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
> The following error occurred:
> Access denied.
> """
>
>
> # Second scenario :
>
> * I use :
> samba-tool gpo backup
> to backup an existing GPO.
>
> * From RSAT I delete this GPO.
> * I run :
> samba-tool gpo restore
> to restore from the backup I just made.
>
> * At that moments :
> samba-tool ntacl sysvolcheck
> returns nothing, says that ACLs on sysvol are correct.
>
> On a Windows client, from RSAT, I try to modify this GPO : right clic on
> the GPO, "Edit..." and configure some settings. I get an error : "Access
> denied. HRESULT : 0x80070005 (E_ACCESSDENIED)".
>
> But, after running :
> samba-tool ntacl sysvolreset
>
> I can again modify the restored GPO without error. But at that moment
> I'm encountering the problem of the first scenario.
>
>
> What is the problem ? Is this a bug ?
>
>
> Kind regards,
> Klaas
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list