Univention Bugzilla – Bug 30999
Domain Admins cannot create or modify Group Policies via GPMC
Last modified: 2013-11-19 06:43:46 CET
Ticket#: 2013032521001982 Currently GPOs can only be created/modified by the Administrator account (using the Windows GPMC). Members of the Domain Admins group (and the Group Policy Creator Owners group) get an "access denied" message. I tested this against a Samba4 DC (UCS Master) which was updated to UCS 3.1-1.
Created attachment 5164 [details] level 12 log of a denied attempt of GPO creation by user gpco3. The primary group of the user was "Domain Admins". Additionally the user was member of "Group Policy Creator Owners".
The problem occurs for users that have "Domain Admins" as their primary group, not for those that have "Domain Admins" as a secondary group. It seems to be caused by the way Samba treats the "force group = Authenticated Users" setting currently configured for the "[sysvol]" share. The debug traces show that Samba uses the gid of "Authenticated Users" for the share connection in this case. At some point, after creating the new GUID-folder for the new GPO it checks the access rights for the new folder and while the access rights are "Full Access" for "Domain Admins", Samba returns an ACCESS_DENIED. The reason seems to be that it replaces the primary group of the authenticated user by the "force group" and thenm in a subsequent initgroup system call it has no way to detect the "Domain Admins" group membership any more. This does not affect users that have e.g. "Domain Users" as their primary group and additionally are member of "Domain Admins". With the current "[sysvol]" share configuration setting "force group = Authenticated Users" I can create GPOs with the following user: uid=2013(admin2) gid=5001(Domain Users) Gruppen=5001(Domain Users),5000(Domain Admins) There didn't seem to be any additional privileges attached to the "Group Policy Creator Owners" group. Only "Domain Admins" membership currently seems to grant creation rights for GPOs (starting the Group Policy Management tool as a non-Domain-Admin results in an authentication popup and a grayed-out "New" entry in the GPO creation context menu). After manually commenting out the "force group" setting for the sysvol-share and restarting samba4, GPO creation is also possible for primary group members of "Domain Admins". We should test again the consequences for normal users with Samba 4.0.x. In a first test a GPO created as admin1 (primary member of "Domain Admins") could be evaluated by a normal member of "Domain Users" e.g. by running "gpupdate /force".
The force group was introduced as a workaround for a GPO accessability problem with the alpha17+smbd configuration for UCS 3.0 before the new s3fs.
*** Bug 29362 has been marked as a duplicate of this bug. ***
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2. As such, this bug is moved to the new target milestone.
OK, I've removed the option. Changelog: 45218 Code: r45217
Ok, nice, this works now. Tested by logging in as a new member of "Domain Admins" and creating, modifying, assigning and evaluating a new GPO. Changelog: Ok.
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".