[Samba] GPMC error 0x80070005 when saving "User Configuration > Preferences > Folders"

Nicolas Martinussen nicolas.martinussen at joskin.com
Tue Nov 4 13:29:20 UTC 2025 

Hello,

There is probably a better way, but what I do when I have this issue is that I do a chmod -R 777 on the policy folder (/var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/Policies/{301F7BDC-2E40-4E97-BD1D-BCB90E5D3DB0} in your case). Then, I do my change. And after that, I do a samba-tool ntacl sysvolreset to restore the permissions correctly.

Nicolas

> hello,
> 
> I am having a problem with Group Policy Management on my Samba AD DC.
> 
> *My Environment:*
> 
>    -
> 
>    *Samba Version:* Version 4.22.6-Debian-4.22.6+dfsg-0~~mjt+deb12
>    -
> 
>    *OS:* Debian 12
> 
> *My Goal:* I am trying to create a simple GPO (User Configuration > Preferences > Folders) to create a new folder for users at %UserProfile%\DevRuns\bin.
> 
> *The Problem:* When I am in the Group Policy Management Editor and try to save this new "Folders" setting, I get an "Access Denied" error. The exact message is: Error (0x80070005) occurred saving settings file. Access is denied.
> 
> *Troubleshooting Steps I Have Taken:*
> 
> I assumed it was a SYSVOL permissions issue, so I ran the following commands on my Debian server:
> 
>    1.
> 
>    First, I ran samba-tool ntacl sysvolcheck. It failed and reported a
>    mismatch:
> 
>    ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/campus.sertao.ifrs.edu.br/Policies/{301F7BDC-2E40-4E97-BD1D-BCB90E5D3DB0}/User/Preferences/Folders
> O:BAG:DAD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;;;AU)(A;OICI;0x1200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
> from GPO object
>    ...
> 
>    2.
> 
>    Next, I ran samba-tool ntacl sysvolreset to fix the permissions.
>    3.
> 
>    I ran samba-tool ntacl sysvolcheck again, and it completed with no
>    errors. The permissions seemed to be fixed.
>    4.
> 
>    I went back to Windows and tried to save the GPO setting again. It
>    failed with the *exact same error: 0x80070005*.
>    5.
> 
>    After the failed save, I ran samba-tool ntacl sysvolcheck one more time,
>    and it reported the same ACL mismatch error as in step 1.
> 
> It seems that sysvolreset works, but the moment I try to save the GPO from
> Windows, the save operation fails and breaks the ACLs again.
> 
> Has anyone seen this behavior? Is this a configuration I am missing?
> 
> Thank you for your help.
> --
> Elias Pereira
> --

More information about the samba mailing list