[Samba] Sysvol GPO ACLs problem
Rowland penny
rpenny at samba.org
Mon May 11 11:55:06 UTC 2020
On 11/05/2020 12:33, Pablo Sanz Fernández wrote:
> Sorry Rowland, didn't read that part.
>
> Yes, the 'Domain Admins' group has the gidNumber attribute the value "512", and 'BUILTIN\Server Operators' value "549".
I can sort of understand why 'Domain Admins' has a gidNumber, but why
'Server operators' ?
The only group from the Windows 'Well Known SIDs' that requires a
gidNumber attribute is 'Domain Users'. You can give 'Domain Admins' a
gidNumber, but there is a problem with doing that, it turns the Windows
group into a Unix group ;-)
That might sound like it isn't a problem, except that a Windows group
can own files and directories and a Unix group cannot, which is where we
came in, Domain Admins needs to own things in Sysvol ;-)
I create a group (I use the imaginative name of 'Unix Admins'), give
this group a gidNumber and make it a member of Domain Admins. Then I use
the group wherever I would normally use Domain Admins, except for Sysvol.
Rowland
More information about the samba
mailing list