[cifs-protocol] Group Policy questions (SRX091011600003 [MS-GPSB] Group Policy AD ACL to File ACL)

Bill Wesse billwe at microsoft.com
Sun Oct 11 08:28:21 MDT 2009

Good morning Matthieu - thanks for your questions concerning ACLs on group policy & associated file objects. I have created the case noted below to track our work and responses against this. One of my colleagues will take ownership of the case and contact you tomorrow.

SRX091011600003 [MS-GPSB] Group Policy AD ACL to File ACL

Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

-----Original Message-----
From: Matthieu Patou [mailto:mat+Informatique.Samba at matws.net] 
Sent: Sunday, October 11, 2009 7:28 AM
To: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Group Policy questions


We are facing some problems with group policies and I would like to have 
more information on the following points.

Currently Samba is not able to set correctly acl on policy folders so 
that they are "synchronized" with the acl for the policy object in the AD.
So every time a policy is selected in gpmc.msc we receive the message 
indicating that the ACL are not in sync ....
1) What is the algorithm to transform the AD ACL for Group Policy Object 
into the ACL for the associated files in \\realm\sysvol ? Lot of us 
tried different things without success
2) If I modify the ACL of a the Policy directory on a w2k3 DC, I am 
offered with the to opportunity to correct this when I select the GPO in 
gpmc. On a S4 server it's not the case but I the ACL for the policy 
object are the SAME in S4 and in w2k3 and I am testing with the domain 
administrator (ie. default administrator with rid 500). It seems that 
the it's not only the SID or the group membership that trigger the right 
to adjust the ACL. What can influence one or the other behavior ?
3) In the delegation tab of the GPMC tool I am just offered the 
"advanced" button other are grayed (no possiblity to add or remove a 
delegation ... I click "advanced" it appear that I can't do much even if 
the owner of the object is "Domain admins" and that the Administrator is 
a member of it. It seems that there is also here a subtle logic. Can you 
explain it ?

For your information the SDDL of the acl of a new policy is the 
following one:



Matthieu Patou.

More information about the cifs-protocol mailing list