The SYSVOL GPOs are replicated back from Master after their deletion on Slave. For instance: 1. Create a GPO on DC Slave: samba-tool gpo create TEST_GPO_BUG --username=Administrator --password=univention GPO 'TEST_GPO_BUG' created as {5FEDA627-965E-4391-A10C-863ABB995148} 2. Run sync or just wait for cron job on Slave: root@slave2032:/usr/share/univention-samba4/scripts# ./sysvol-sync.sh 3. Run sync or just wait for cron job on Master: root@master203:/root/# /usr/share/univention-samba4/scripts/sysvol-sync.sh 4. Make sure that GPO was replicated to Master: root@master203:/var/lib/samba/sysvol/autotest203.local/Policies# ls | grep {5FEDA627-965E-4391-A10C-863ABB995148} {5FEDA627-965E-4391-A10C-863ABB995148} 5. Remove the GPO on Slave: root@slave2032:/usr/share/univention-samba4/scripts# samba-tool gpo del {5FEDA627-965E-4391-A10C-863ABB995148} --username=Administrator --password=univention GPO {5FEDA627-965E-4391-A10C-863ABB995148} deleted. 6. Make sure that GPO was deleted: root@slave2032:/var/lib/samba/sysvol/autotest203.local/Policies# ls | grep {5FEDA627-965E-4391-A10C-863ABB995148} 7. Run sync or just wait for cron job: root@slave2032:/usr/share/univention-samba4/scripts# ./sysvol-sync.sh 8. Deleted GPO is back-replicated: root@slave2032:/var/lib/samba/sysvol/autotest203.local/Policies# ls | grep {5FEDA627-965E-4391-A10C-863ABB995148} {5FEDA627-965E-4391-A10C-863ABB995148} 9. Thus, with every clean-up script run -> it is deleted; With every sync-up script run it is back-replicated again.
This issue has been filled against UCS@school 3.2. The maintenance with bug and security fixes for UCS@school 3.2 has ended on Dec 31, 2016. Customers still on UCS 3.x are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.