<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.default, li.default, div.default
        {mso-style-name:default;
        margin:0in;
        margin-bottom:.0001pt;
        text-autospace:none;
        font-size:12.0pt;
        font-family:"Verdana","sans-serif";
        color:black;}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Arial","sans-serif";
        color:windowtext;}
span.EmailStyle21
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Nadezhda:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>We have finished our investigation on &#8220;Owner and Group
Defaulting Rules&#8221;. In a future version of MS-ADTS, section 7.1.3.6 and
7.1.3 will be modified. Please find the PDF version of modifications attached
to this email.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Please let me know if this answers your question. If yes,
I&#8217;ll consider this issue resolved.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Regards,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Obaid Farooqi<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Sr. Support Escalation Engineer | Microsoft<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Nadezhda Ivanova
[mailto:nadezhda.ivanova@postpath.com] <br>
<b>Sent:</b> Tuesday, August 04, 2009 2:58 AM<br>
<b>To:</b> Interoperability Documentation Help<br>
<b>Cc:</b> pfif@tridgell.net; cifs-protocol@samba.org<br>
<b>Subject:</b> Question about owner and group defaulting rules in MS-ADTS<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Hi,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In
MS-ADTS, section 7.1.3.6, is written the following:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=default><span style='font-size:9.0pt'>The GROUP field is defaulted as
follows: <o:p></o:p></span></p>

<p class=default style='text-indent:.5in'><span style='font-size:9.0pt;
font-family:Wingdings'>§ </span><span style='font-size:9.0pt'>If the DAG was
used as the default OWNER field value, then the same SID is written into the
GROUP field. <o:p></o:p></span></p>

<p class=default><span style='font-size:9.0pt'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>However,
it appears that the creating user&#8217;s primary group is ALWAYS used as the
default group, regardless of partition or owner. <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Example:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>We
create an object in the domain partition, say an OU, without providing an
nTSecurityDescriptor. The creating user is a member of Domain Admins, with
primary group Domain Users, so the DAG is Domain admins as per the DAG rules in
the same document. Domain Admins is used as the OWNER in the new object&#8217;s
security descriptor. According to the above statement, Domain Admins should
also be set as the default group. However, in a Windows 2003 server, Domain
Users is defaulted as the group in the new object&#8217;s descriptor. If the
user&#8217;s primary group is changed to Domain Admins, then the group of the
new object is defaulted to Domain Admins.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The
above behavior is consistent with CreateSecurityDescriptor algorithm from
MS-DTYP, where the primary group of the security token is assigned if a group
is not provided. <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Could
you please clarify the contradiction between MS-ADTS, MS-DTYP and actual
behavior?<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Regards,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Nadezhda
Ivanova<o:p></o:p></span></p>

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=543
 style='width:407.25pt'>
 <tr>
  <td colspan=3 style='padding:0in 0in 0in 0in'>
  <p class=MsoNormal><img width=110 height=73 id="_x0000_i1025"
  src="cid:image001.gif@01CA1CCF.F4F44E60"><o:p></o:p></p>
  </td>
 </tr>
 <tr>
  <td nowrap valign=top style='padding:0in 0in 11.25pt .25in'>
  <p><strong><span style='font-size:8.5pt;font-family:"Arial","sans-serif";
  color:#666666'>Nadezhda Ivanova</span></strong><span style='font-size:8.5pt;
  font-family:"Arial","sans-serif";color:#666666'><br>
  <strong><span style='font-family:"Arial","sans-serif"'>Software Engineer</span></strong><br>
  <strong><span style='font-family:"Arial","sans-serif"'>Software Development</span></strong><b><br>
  </b><br>
  <a href="mailto:nadezhda.ivanova@postpath.com"><span style='font-family:"Times New Roman","serif";
  color:#666666'>nadezhda.ivanova@postpath.com</span></a><o:p></o:p></span></p>
  </td>
  <td nowrap valign=top style='padding:0in 0in 7.5pt 15.0pt'>
  <p style='margin-bottom:12.0pt'><strong><span style='font-size:8.5pt;
  font-family:"Arial","sans-serif";color:#666666'>CISCO SYSTEMS BULGARIA EOOD</span></strong><span
  style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#666666'><br>
  18 Macedonia Blvd. Sofia 1606<br>
  Bulgaria<br>
  <a href="http://www.cisco.com/global/BG/"><span style='font-family:"Times New Roman","serif";
  color:#666666'>Cisco home page</span></a><o:p></o:p></span></p>
  </td>
  <td width=155 style='width:116.25pt;padding:0in 0in 0in 0in'>
  <p class=MsoNormal>&nbsp;<o:p></o:p></p>
  </td>
 </tr>
 <tr>
  <td style='padding:0in .25in 0in .25in'>
  <p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
  color:#009900'><img border=0 width=18 height=19 id="_x0000_i1026"
  src="cid:image002.gif@01CA1CCF.F4F44E60" alt="Think before you print.">Think
  before you print.<o:p></o:p></span></p>
  </td>
  <td width=362 colspan=2 style='width:271.5pt;padding:0in 0in 0in 0in'>
  <p class=MsoNormal>&nbsp;<o:p></o:p></p>
  </td>
 </tr>
</table>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

</body>

</html>