class cmd_ntacl(SuperCommand):

 class cmd_ntacl(SuperCommand):

--- a/python/samba/provision/__init__.py

--- a/python/samba/provision/__init__.py

+++ b/python/samba/provision/__init__.py

+++ b/python/samba/provision/__init__.py

                 raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl))

                 raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl))

+    ## at least in UCS, all base GPO directories have AI set, so expect that

+    ## at least in UCS, all base GPO directories have AI set, so expect that

+    sd = security.descriptor.from_sddl(acl_expected_for_gpo, domainsid)

+    sd = security.descriptor.from_sddl(acl_expected_for_gpo, domainsid)

+    sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED

+    sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED

+    acl_expected_for_gpo = sd.as_sddl(domainsid)

+    acl_expected_for_gpo = sd.as_sddl(domainsid)

+

+

+    if fsacl_sddl_mapped != acl_expected_for_gpo:

+    if fsacl_sddl_mapped != acl_expected_for_gpo: