[cifs-protocol] Undelete operation security considerations [MS-ADTS]

Nadezhda Ivanova nivanova at samba.org
Mon Oct 27 08:18:51 MDT 2014

Dear Dochelp,
I am currently trying to implement the proper access checking when
executing an undelete operation, and I have established that the
access rights described in, when granted to a regular
Domain User, are not enough to enable that user to perform an Undelete
Some investigation showed that the user also needs List Children
permission on the Deleted Objects container, but I can't find this
mentioned in ADTS, am I looking in the wrong place?

Also, could you please direct me to where the default security
descriptor of a Deleted Objects container (say, after a fresh
installation) is documented? It seems that it is a special case -
according to http://support.microsoft.com/kb/892806, inheritance is
broken, and even Domain Admins are only allowed a very limited set of
rights. I would appreciate some more specific information that the
output of the tool,an example SD in SDDL format would be best.

Best Regards,
Nadezhda Ivanova

More information about the cifs-protocol mailing list