[cifs-protocol] [REG:110051073884304] RE: About GPMC and ACLs

Hongwei Sun hongweis at microsoft.com
Thu Jun 10 17:04:37 MDT 2010 

Hi, Matthieu,

   I have downloaded the GPMC with SP1 from the following link http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en and installed it on a XP machine.  I ran the same testing by opening a GPO on a Windows 2008 DC from GPMC in XP.   The attached network trace shows that the tool never queried the security descriptor of the main policy folder.  I cannot find the query in code either.   Could you verify if you are using the same GPMC download as I used ?  And it will be good if you can run GPMC against a Windows DC to see if you can see the same behavior.

  Please let me know.

Thanks!

Hongwei      


-----Original Message-----
From: Matthieu Patou [mailto:mat at samba.org] 
Sent: Wednesday, June 02, 2010 3:35 AM
To: Hongwei Sun; pfif at tridgell.net; cifs-protocol at samba.org
Cc: MSSolve Case Email
Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs

Hello hongwei,

It's downloaded from  internet as the one which comes with the 
administration pack is "limited".

Version seems to be 1.0.2 (from GPMC.msc then help then about group 
policy management).

Matthieu.
  On 02/06/2010 02:59, Hongwei Sun wrote:
> Matthieu,
>
>    Any update ?
>
> Thanks!
>
> Hongwei
>
> -----Original Message-----
> From: Hongwei Sun
> Sent: Wednesday, May 26, 2010 6:01 PM
> To: 'Matthieu Patou'
> Cc: MSSolve Case Email
> Subject: RE: [REG:110051073884304] RE: About GPMC and ACLs
>
> Matthieu,
>
>     I spent some time to investigate the behavior you reported.  I created multiple Windows DCs (Windows 2008 and Windows 2008 R2)  and used GPMC to open policies on remote DCs.  From the network captures , I don't see any SMB packet for querying the SecurityDescriptor of {Domain}\Policy folder.  It only checks the individual policy folder.  As I understand , Window XP doesn't include GPMC tool by default and user has to install it.  Which version of the GPMC tool are you using ?  Could you find the version number from the "Help" menu ?
>
>    Also could you run GPMC from a  Windows 2008 or Windows 2008 R2 machine to see if there is any difference ?
>
> Thanks!
>
> Hongwei
>
>
> -----Original Message-----
> From: Matthieu Patou [mailto:mat+Informatique.Samba at matws.net]
> Sent: Saturday, May 15, 2010 5:11 AM
> To: Hongwei Sun
> Cc: MSSolve Case Email
> Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
>
> On 15/05/2010 07:19, Hongwei Sun wrote:
>    
>> Matthieu,
>>
>>      It takes a while to get back to normal after travel headache on my way back to U.S.   I spent some time to double check again the logic used for checking DS/FS ACL consistency.   I still didn't see the SD of the SYSVOL\policies folder is checked explicitly in the logic.   Only the SYSVOL\Policies\ {GUID} is queried explicitly and used in the logic.   I suspect that it is queried for some other reason.   I will have to set up the environment to repro the SMB traffic and debug further.   What OS do you use for the testing in the trace ?
>>
>>
>>      
> It was Windows XP SP2.
> Did you see in the trace that there is somehow a smb call to get the
> NTACLS of<domain>\Policies ?
> Also I'm not sure it's present in this trace but I had one (lost
> because  stored in /tmp) when I hit "OK please correct the rotten acls"
> that showed that GPMC was trying to set several ACLs on the GPO folder
> (rather different one from the previous one).
>
> Matthieu.
>    
>> Thanks!
>>
>> Hongwei
>>
>> -----Original Message-----
>> From: Matthieu Patou [mailto:mat+Informatique.Samba at matws.net]
>> Sent: Thursday, May 06, 2010 5:09 PM
>> To: Hongwei Sun
>> Subject: About GPMC and ACLs
>>
>> Hongwei,
>>
>> Here is the capture,
>>
>> The most interesting is from  packet 873, when I retry to click on a newly created GPO.
>> At packet 1025 I receive the message that there is a mismatch and I click ok to get it fixed.
>>
>> The capture ends when the data flow stop.
>>
>> As I told you, at packet 1101 and packet 1119 you can see that windows tries to put two differents ACL (at least != number of ACEs but there is one on S-1-3-0 also).
>>
>> We can see in the capture that around the moment that GPMC is checking the DS/FS acl consistency that it also have a look at the<domain>\Policies folder.
>>
>> Regards.
>>
>> Matthieu.
>>
>>      
>
>    


-- 
Matthieu Patou
Samba Team        http://samba.org


-------------- next part --------------
A non-text attachment was scrubbed...
Name: GPO-mismatch.cap
Type: application/octet-stream
Size: 62968 bytes
Desc: GPO-mismatch.cap
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20100610/77a94327/attachment-0001.obj>

More information about the cifs-protocol mailing list