Hello, I've en error again in the samba AD world. I use RSAT with the DOMAIN\administrator account to make some GPOs. Sometimes it doesn't work. So I have checked GPO ACL with 'gpo aclcheck' command, and this is the return : got OID=1.2.840.48018.1.2.2 ERROR: Invalid GPO ACL O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on path (domain.com\Policies\{20F5D1E9-30B5-49F6-904C-8B41299AA2ED}), should be O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 'ntacl sysvolcheck' command return this : lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" Processing section "[sysvol]" Processing section "[netlogon]" ldb_wrap open of idmap.ldb ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/domain.com/Policies/{20F5D1E9-30B5-49F6-904C-8B41299AA2ED} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run ??? return self.run(*args, **kwargs) ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/ntacl.py", line 314, in run ??? lp) ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py", line 1853, in checksysvolacl ??? direct_db_access) ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py", line 1804, in check_gpos_acl ??? domainsid, direct_db_access) ? File "/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py", line 1747, in check_dir_acl ??? raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Also, 'ntacl get /usr/local/samba/var/locks/sysvol --as-sddl' command say that : Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] load_module_absolute_path: Module '/usr/local/samba/lib/vfs/acl_xattr.so' loaded Initialising custom vfs hooks from [dfs_samba4] connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1) O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) this is the sysvol part of the AD DC smb.conf : [sysvol] ??? path = /usr/local/samba/var/locks/sysvol ??? read only = No I fix the problem thanks ' ntacl sysvolreset' command, but when I modify a GPO, I need to start again. So, I'm lost....? what's wrong exactly ? Thanks :-)