<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="State"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="Street"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="address"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="country-region"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
p.Default, li.Default, div.Default
{margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:Verdana;
color:black;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1790297887;
mso-list-type:hybrid;
mso-list-template-ids:-1517807904 -1 -1 -1 -1 -1 -1 -1 -1 -1;}
@list l0:level1
{mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level2
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level3
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level4
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level5
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level6
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level7
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level8
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level9
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hi,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>In MS-ADTS, section 7.1.3.6, is written the following:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=Default><font size=1 color=black face=Verdana><span style='font-size:
9.0pt'>The GROUP field is defaulted as follows: <o:p></o:p></span></font></p>
<p class=Default style='text-indent:.5in'><font size=1 color=black
face=Wingdings><span style='font-size:9.0pt;font-family:Wingdings'>§ </span></font><font
size=1><span style='font-size:9.0pt'>If the DAG was used as the default OWNER
field value, then the same SID is written into the GROUP field. <o:p></o:p></span></font></p>
<p class=Default><font size=1 color=black face=Verdana><span style='font-size:
9.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>However, it appears that the creating user’s primary
group is ALWAYS used as the default group, regardless of partition or owner. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Example:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>We create an object in the domain partition, say an OU,
without providing an nTSecurityDescriptor. The creating user is a member of
Domain Admins, with primary group Domain Users, so the DAG is Domain admins as
per the DAG rules in the same document. Domain Admins is used as the OWNER in
the new object’s security descriptor. According to the above statement,
Domain Admins should also be set as the default group. However, in a Windows
2003 server, Domain Users is defaulted as the group in the new object’s
descriptor. If the user’s primary group is changed to Domain Admins, then
the group of the new object is defaulted to Domain Admins.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>The above behavior is consistent with
CreateSecurityDescriptor algorithm from MS-DTYP, where the primary group of the
security token is assigned if a group is not provided. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Could you please clarify the contradiction between <st1:place
w:st="on"><st1:City w:st="on">MS-ADTS</st1:City>, <st1:State w:st="on">MS</st1:State></st1:place>-DTYP
and actual behavior?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Nadezhda Ivanova<o:p></o:p></span></font></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=543
style='width:407.25pt'>
<tr>
<td colspan=3 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><img width=110 height=73 id="_x0000_i1025"
src="cid:image001.gif@01CA14F2.5F337750"><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td nowrap valign=top style='padding:0in 0in 11.25pt .25in'>
<p><strong><b><font size=1 color="#666666" face=Arial><span style='font-size:
8.5pt;font-family:Arial;color:#666666'>Nadezhda Ivanova</span></font></b></strong><font
size=1 color="#666666" face=Arial><span style='font-size:8.5pt;font-family:
Arial;color:#666666'><br>
<strong><b><font face=Arial><span style='font-family:Arial'>Software Engineer</span></font></b></strong><br>
<strong><b><font face=Arial><span style='font-family:Arial'>Software
Development</span></font></b></strong><b><span style='font-weight:bold'><br>
</span></b><br>
<a href="mailto:nadezhda.ivanova@postpath.com"><font color="#666666"
face="Times New Roman"><span style='font-family:"Times New Roman";color:#666666'>nadezhda.ivanova@postpath.com</span></font></a><o:p></o:p></span></font></p>
</td>
<td nowrap valign=top style='padding:0in 0in 7.5pt 15.0pt'>
<p style='margin-bottom:12.0pt'><strong><b><font size=1 color="#666666"
face=Arial><span style='font-size:8.5pt;font-family:Arial;color:#666666'>CISCO
SYSTEMS <st1:country-region w:st="on"><st1:place w:st="on">BULGARIA</st1:place></st1:country-region>
EOOD</span></font></b></strong><font size=1 color="#666666" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#666666'><br>
<st1:address w:st="on"><st1:Street w:st="on">18 Macedonia Blvd.</st1:Street> <st1:City
w:st="on">Sofia</st1:City></st1:address> 1606<br>
<st1:country-region w:st="on"><st1:place w:st="on">Bulgaria</st1:place></st1:country-region><br>
<a href="http://www.cisco.com/global/BG/"><font color="#666666"
face="Times New Roman"><span style='font-family:"Times New Roman";color:#666666'>Cisco
home page</span></font></a><o:p></o:p></span></font></p>
</td>
<td width=155 style='width:116.25pt;padding:0in 0in 0in 0in'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0in .25in 0in .25in'>
<p class=MsoNormal><font size=1 color="#009900" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#009900'><img border=0
width=18 height=19 id="_x0000_i1026" src="cid:image002.gif@01CA14F2.5F337750"
alt="Think before you print.">Think before you print.<o:p></o:p></span></font></p>
</td>
<td style='border:none;padding:0in 0in 0in 0in' width=362 colspan=2><p class='MsoNormal'> </td>
</tr>
</table>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>