[cifs-protocol] [REG:114112312079323] Re: Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]

Obaid Farooqi obaidf at microsoft.com
Wed Dec 3 16:28:39 MST 2014


Hi Nadya:
Here is the default security descriptor for CN=Deleted Objects container:

O:SYD:PAI(A;;KA;;;SY)(A;;LCRP;;;BA)

Also in the human readable format:

Owner: NT AUTHORITY\SYSTEM
Group: NT AUTHORITY\SYSTEM

Access list:
{This object is protected from inheriting permissions from the parent}
Allow NT AUTHORITY\SYSTEM     SPECIAL ACCESS
                              DELETE
                              READ PERMISSONS
                              WRITE PERMISSIONS
                              CHANGE OWNERSHIP
                              CREATE CHILD
                              DELETE CHILD
                              LIST CONTENTS
                              WRITE SELF
                              WRITE PROPERTY
                              READ PROPERTY
Allow BUILTIN\Administrators  SPECIAL ACCESS
                              LIST CONTENTS
                              READ PROPERTY


I used sysinternals tool psexec to run dsacls and ldp as system. The command lines are as follows:

C:\Users\Administrator\Downloads\PSTools>psexec -s dsacls "CN=Deleted Objects,DC=contoso,DC=com"

C:\Users\Administrator\Downloads\PSTools>psexec -s -i -d ldp

I have filed a bug against MS-ADTS to document the security descriptor in MS-ADTS.

Please let me know if it resolves your issue or not.



Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

From: "Obaid Farooqi" <obaidf at microsoft.com>
Sent: Sunday, November 23, 2014 1:20 PM
To: "Nadezhda Ivanova" <nivanova at samba.org>
Cc: "MSSolve Case Email" <casemail at microsoft.com>; "cifs-protocol at samba.org" <cifs-protocol at samba.org>
Subject: [REG:114112312079323] Re: Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]

Hi Nadiya:
I have created a new issue to deal with the security descriptor of deleted objects. I have also filed a bug to document the two additional permission to undelete the tombstone objects against MS-ADTS.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

From: Obaid Farooqi
Sent: Wednesday, November 19, 2014 1:31 PM
To: 'Nadezhda Ivanova'
Cc: MSSolve Case Email; cifs-protocol at samba.org
Subject: RE: [REG:114102711953179] Re: Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]

Hi Nadiya:
I tried the steps in the kb article and that did enable me to display the objects in the “Deleted Objects” containers for a non-admin user.
I’ll file a bug against MS-ADTS to include the “LIST CONTENTS” and “READ PROPERTY” permissions on CN=Deleted Objects container to undelete a deleted object.

I am working to see how can I provide you with instructions to see the security descriptor of the deleted objects container.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20141203/82aaa5ab/attachment-0001.html>


More information about the cifs-protocol mailing list