provision: No longer use the wheel group in new AD Domains

The issue here is that if we set S-1-5-32-544 (administrators) to a
GID only, then users cannot force a mandetory profile to be owned by
administrators (which is a requirement).

There is no particularly useful reason for us to enforce this matching
a system group.

Andrew Bartlett

1 files changed, 2 insertions, 2 deletions

diff --git a/source4/scripting/python/samba/upgradehelpers.py b/source4/scripting/python/samba/upgradehelpers.py
index 55de4be9e4d..81fb8dc0f42 100644
--- a/source4/scripting/python/samba/upgradehelpers.py
+++ b/source4/scripting/python/samba/upgradehelpers.py
@@ -251,7 +251,7 @@ def newprovision(names, creds, session, smbconf, provdir, logger):
             hostname=names.netbiosname.lower(), hostip=None, hostip6=None,
             invocationid=names.invocation, adminpass=names.adminpass,
             krbtgtpass=None, machinepass=None, dnspass=None, root=None,
-            nobody=None, wheel=None, users=None,
+            nobody=None, users=None,
             serverrole="domain controller",
             backend_type=None, ldapadminpass=None, ol_mmr_urls=None,
             slapd_path=None,
@@ -615,7 +615,7 @@ def update_gpo(paths, samdb, names, lp, message, force=0):
 
     if resetacls:
        try:
-            setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.wheel_gid,
+            setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.root_gid,
                         names.domainsid, names.dnsdomain, names.domaindn, lp)
        except TypeError, e:
            acl_error(e)