--- samba/provision/__init__.py.orig	2016-08-17 11:34:20.843860051 +0200
+++ samba/provision/__init__.py	2016-08-17 18:23:58.998801706 +0200
@@ -1484,12 +1484,17 @@ POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001
 SYSVOL_SERVICE="sysvol"
 
 def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE):
+    #print path
+    #print acl
+    #print use_ntvfs
     setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
     for root, dirs, files in os.walk(path, topdown=False):
         for name in files:
             setntacl(lp, os.path.join(root, name), acl, domsid,
                     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
         for name in dirs:
+            #print os.path.join(root, name)
+            #print acl
             setntacl(lp, os.path.join(root, name), acl, domsid,
                     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
 
@@ -1627,8 +1632,23 @@ def acl_type(direct_db_access):
 def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
     fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
     fsacl_sddl = fsacl.as_sddl(domainsid)
-    if fsacl_sddl != acl:
-        raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
+        
+    #Main fix starts here / 17-08-2016 / hupertz@univention.de
+    """changed acl in if-statements to acl_sddl"""
+    if isinstance(domainsid, str):
+        sid = security.dom_sid(domainsid)
+    elif isinstance(domainsid, security.dom_sid):
+        sid = domainsid
+        domainsid = str(sid)
+
+    sd = security.descriptor.from_sddl(acl, sid)
+    if sd.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)):
+    	sd.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR))
+    acl_sddl = sd.as_sddl(sid)
+    #Main fix ends here
+    
+    if fsacl_sddl != acl_sddl:
+	raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl_sddl))
 
     for root, dirs, files in os.walk(path, topdown=False):
         for name in files:
@@ -1636,19 +1656,20 @@ def check_dir_acl(path, acl, lp, domains
                              direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
             if fsacl is None:
                 raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
-            fsacl_sddl = fsacl.as_sddl(domainsid)
-            if fsacl_sddl != acl:
-                raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
-
+            fsacl_sddl = fsacl.as_sddl(sid)
+            	                	     
+            if fsacl_sddl != acl_sddl:
+                raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl))
+            
         for name in dirs:
             fsacl = getntacl(lp, os.path.join(root, name),
                              direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
             if fsacl is None:
                 raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
-            fsacl_sddl = fsacl.as_sddl(domainsid)
-            if fsacl_sddl != acl:
-                raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
+            fsacl_sddl = fsacl.as_sddl(sid)
 
+            if fsacl_sddl != acl_sddl:
+                raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl_sddl))
 
 def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
         direct_db_access):
@@ -1680,8 +1701,12 @@ def check_gpos_acl(sysvol, dnsdomain, do
         acl = ndr_unpack(security.descriptor,
                          str(policy["nTSecurityDescriptor"])).as_sddl()
         policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
-        check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
+        try:
+	    check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
                       domainsid, direct_db_access)
+        except Exception as e:
+            print e
+            continue
 
 
 def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,