Hello Andrews, Find attached 2 patches : 1) for using secrets.ldb instead of sam.ldb for searching domain SID so that it will work on domain member as well 2) use short name (BA,SA,CO, ...) for assignee in file ACL for GPO and sysvol. Matthieu.