[cifs-protocol] Group Policy questions (SRX091011600003 [MS-GPSB] Group Policy AD ACL to File ACL)
Bill Wesse
billwe at microsoft.com
Sun Oct 11 08:28:21 MDT 2009
Good morning Matthieu - thanks for your questions concerning ACLs on group policy & associated file objects. I have created the case noted below to track our work and responses against this. One of my colleagues will take ownership of the case and contact you tomorrow.
SRX091011600003 [MS-GPSB] Group Policy AD ACL to File ACL
Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606
-----Original Message-----
From: Matthieu Patou [mailto:mat+Informatique.Samba at matws.net]
Sent: Sunday, October 11, 2009 7:28 AM
To: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Group Policy questions
Hello,
We are facing some problems with group policies and I would like to have
more information on the following points.
Currently Samba is not able to set correctly acl on policy folders so
that they are "synchronized" with the acl for the policy object in the AD.
So every time a policy is selected in gpmc.msc we receive the message
indicating that the ACL are not in sync ....
1) What is the algorithm to transform the AD ACL for Group Policy Object
into the ACL for the associated files in \\realm\sysvol ? Lot of us
tried different things without success
2) If I modify the ACL of a the Policy directory on a w2k3 DC, I am
offered with the to opportunity to correct this when I select the GPO in
gpmc. On a S4 server it's not the case but I the ACL for the policy
object are the SAME in S4 and in w2k3 and I am testing with the domain
administrator (ie. default administrator with rid 500). It seems that
the it's not only the SID or the group membership that trigger the right
to adjust the ACL. What can influence one or the other behavior ?
3) In the delegation tab of the GPMC tool I am just offered the
"advanced" button other are grayed (no possiblity to add or remove a
delegation ... I click "advanced" it appear that I can't do much even if
the owner of the object is "Domain admins" and that the Administrator is
a member of it. It seems that there is also here a subtle logic. Can you
explain it ?
For your information the SDDL of the acl of a new policy is the
following one:
O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746857408-2662927446-513D:PAI(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5
-21-3208502064-746857408-2662927446-512)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-
21-3208502064-746857408-2662927446-519)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
1-3208502064-746857408-2662927446-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(
A;;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(OA;;CR;edacfd8f-ffb3-11d1
-b41d-00a0c968f939;;AU)(A;;RPLCLORC;;;ED)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)
(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
-519)(A;CIID;LC;;;RU)S:(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf9
67aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-00
00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
Regards.
Matthieu Patou.
More information about the cifs-protocol
mailing list