Failed to Validate GPO Security Descriptor


When AD Bridge fails to validate Active Directory and GPO Security Descriptor, the following is returned:

Error: Failed to validate the discretionary access control list
Error: Failed to validate GPO Security Descriptor


This typically occurs when there is a failure to validate the system access control list and discretionary access control list.


We have created a Security Descriptor tool usage: /opt/pbis/libexec/verify-sd <hex-string>. This tool displays relative security descriptor validation error information. It accepts hex string representations of security descriptors and performs the same validation checks as gpagent.