Hi, I Upgraded the samba4 schema with the sudo AD schema, added the required sudo ldifs including the OU dn: OU=SUDOers,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: SUDOers showInAdvancedViewOnly: TRUE I then tried to get sssd to pull the sudo rules from AD, without success. After posting over on the sssd list, it became apparent that 'Domain Computers' seemingly did not have the right to read the SUDOers OU. Further investigation proved that this was not entirely correct, 'Domain Computers could read the OU, it just wasn't allowed to read anything in the OU i.e. the sudo rules! This brings me to the purpose of this post, Does anybody know how to change the 'nTSecurityDescriptor' attribute of an OU with linux tools. Can I just read the attribute, change it with sed and then write it back, or do I need to do the required change with 'samba-tool dsacl set' and if so how ? or is there some better way that I haven't thought off. All I need to do is change '(A;;RPLCRC;;;DC)' to '(A;CI;RPLCRC;;;DC)' Rowland