[cifs-protocol] [REG:114112312079323] Re: Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
Obaid Farooqi
obaidf at microsoft.com
Wed Dec 3 16:28:39 MST 2014
Hi Nadya:
Here is the default security descriptor for CN=Deleted Objects container:
O:SYD:PAI(A;;KA;;;SY)(A;;LCRP;;;BA)
Also in the human readable format:
Owner: NT AUTHORITY\SYSTEM
Group: NT AUTHORITY\SYSTEM
Access list:
{This object is protected from inheriting permissions from the parent}
Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
Allow BUILTIN\Administrators SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
I used sysinternals tool psexec to run dsacls and ldp as system. The command lines are as follows:
C:\Users\Administrator\Downloads\PSTools>psexec -s dsacls "CN=Deleted Objects,DC=contoso,DC=com"
C:\Users\Administrator\Downloads\PSTools>psexec -s -i -d ldp
I have filed a bug against MS-ADTS to document the security descriptor in MS-ADTS.
Please let me know if it resolves your issue or not.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
From: "Obaid Farooqi" <obaidf at microsoft.com>
Sent: Sunday, November 23, 2014 1:20 PM
To: "Nadezhda Ivanova" <nivanova at samba.org>
Cc: "MSSolve Case Email" <casemail at microsoft.com>; "cifs-protocol at samba.org" <cifs-protocol at samba.org>
Subject: [REG:114112312079323] Re: Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
Hi Nadiya:
I have created a new issue to deal with the security descriptor of deleted objects. I have also filed a bug to document the two additional permission to undelete the tombstone objects against MS-ADTS.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
From: Obaid Farooqi
Sent: Wednesday, November 19, 2014 1:31 PM
To: 'Nadezhda Ivanova'
Cc: MSSolve Case Email; cifs-protocol at samba.org
Subject: RE: [REG:114102711953179] Re: Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
Hi Nadiya:
I tried the steps in the kb article and that did enable me to display the objects in the “Deleted Objects” containers for a non-admin user.
I’ll file a bug against MS-ADTS to include the “LIST CONTENTS” and “READ PROPERTY” permissions on CN=Deleted Objects container to undelete a deleted object.
I am working to see how can I provide you with instructions to see the security descriptor of the deleted objects container.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20141203/82aaa5ab/attachment-0001.html>
More information about the cifs-protocol
mailing list