For some time now, and for an unknown reason, with RSAT, we no longer have the option to add any user or group to the security filtering of a GPO except for the current user, provided they are a domain administrator. The window opens correctly, the "Check Names" button correctly searches for the user or group, but once "OK" is clicked, nothing happens.
We suspected a permissions issue with the sysvol folder and its contents. The command "samba-tool ntacl sysvolcheck" did return errors, including one concerning the owner of the folders containing the GPOs.
To avoid ACL errors on the GPOs, it seems that the "Domain Admin" group must be the owner of the folders. However, during synchronization between our two Active Directory instances, the "tis-sysvlosync" script reverts the administrator to the owner on the second Active Directory. Could this be the cause of the problem? I suppose not, since this script has always worked without any issues with security filtering.
Our infrastructure consists of two Active Directory domains with Samba 4.9.5 on Debian 10. The problem occurs with both old and new Group Policy Objects (GPOs).
Have you ever encountered this type of problem? What solution did you find?
Thank you for your help.
