[cifs-protocol] Question about owner and group defaulting rules in MS-ADTS

Bill Wesse billwe at microsoft.com
Tue Aug 4 07:13:06 MDT 2009

Good morning! I have created case SRX090804600022 to track our work for your request. One of my team colleagues will take ownership of the case and contact you shortly.

Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com]
Sent: Tuesday, August 04, 2009 3:58 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Question about owner and group defaulting rules in MS-ADTS

In MS-ADTS, section, is written the following:

The GROUP field is defaulted as follows:

* If the DAG was used as the default OWNER field value, then the same SID is written into the GROUP field.

However, it appears that the creating user's primary group is ALWAYS used as the default group, regardless of partition or owner.
We create an object in the domain partition, say an OU, without providing an nTSecurityDescriptor. The creating user is a member of Domain Admins, with primary group Domain Users, so the DAG is Domain admins as per the DAG rules in the same document. Domain Admins is used as the OWNER in the new object's security descriptor. According to the above statement, Domain Admins should also be set as the default group. However, in a Windows 2003 server, Domain Users is defaulted as the group in the new object's descriptor. If the user's primary group is changed to Domain Admins, then the group of the new object is defaulted to Domain Admins.

The above behavior is consistent with CreateSecurityDescriptor algorithm from MS-DTYP, where the primary group of the security token is assigned if a group is not provided.

Could you please clarify the contradiction between MS-ADTS, MS-DTYP and actual behavior?

Nadezhda Ivanova
[cid:image001.gif at 01CA14E3.C71A1EF0]

Nadezhda Ivanova
Software Engineer
Software Development

nadezhda.ivanova at postpath.com<mailto:nadezhda.ivanova at postpath.com>

18 Macedonia Blvd. Sofia 1606
Cisco home page<http://www.cisco.com/global/BG/>

[cid:image002.gif at 01CA14E3.C71A1EF0]Think before you print.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090804/7d3c0579/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 837 bytes
Desc: image001.gif
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090804/7d3c0579/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 87 bytes
Desc: image002.gif
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090804/7d3c0579/attachment-0003.gif>

More information about the cifs-protocol mailing list