Re: [Samba] Access Denied when creating a GPO with any other domain admins than administrator

Thu, 16 May 2013 01:15:13 -0700 

On 14/05/13 18:40, Antoine Vacher wrote:

Hello,

I have a strange issue with Samba 4 as an AD DC regarding GPO creation.

I use the following packages on Debian wheezy:

dpkg -l | grep samba
ii  libsamba-credentials0:i386           4.0.0+dfsg1-1                i386      
   Samba Credentials management library
ii  libsamba-hostconfig0:i386            4.0.0+dfsg1-1                i386      
   Samba host configuration library
ii  libsamba-policy0:i386                4.0.0+dfsg1-1                i386      
   Samba policy management
ii  libsamba-util0:i386                  4.0.0+dfsg1-1                i386      
   Samba utility function library
ii  python-samba                         4.0.0+dfsg1-1                i386      
   Python bindings for Samba
rc  samba                                2:3.6.6-3                    i386      
   SMB/CIFS file, print, and login server for Unix
ii  samba-common                         2:3.6.10-1                   all       
   common files used by both the Samba server and client
ii  samba-common-bin                     2:3.6.10-1                   i386      
   common files used by both the Samba server and client
ii  samba-dsdb-modules                   4.0.0+dfsg1-1                i386      
   Samba Directory Services Database
ii  samba4                               4.0.0+dfsg1-1                i386      
   SMB/CIFS file, NT domain and active directory server (version 4)
ii  samba4-clients                       4.0.0+dfsg1-1                i386      
   client utilities from Samba 4
ii  samba4-common-bin                    4.0.0+dfsg1-1                i386      
   Samba 4 common files used by both the server and the client

I created an administrative account called "admin-domain" which is member of 
the following groups:
- Administrators
- Domain Admins
- Domain Users
- Group Policy Creator Owners

If I logon with the "administrator" account, then there is no problem to create 
a new GPO with the group policy management application from the windows 8 client.
However, if I logon with the "admin-domain" account, is is not possible to create a GPO. 
The error given is "Access Denied"

I checked and there is no problem for "admin-domain" to write in the sysvol 
share.
For me being member of Domain Admins and writing to sysvol rights shall be 
enough to write a GPO.

Apart from that, the GPO are correctly applied and I see no other issue.
:



I am sure missing something, but I can't figure out what...

Thanks for your help.

Antoine


Hi
A quick check, try running:
samba-tool ntacl sysvolreset


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to