[cifs-protocol] Undelete operation security considerations [MS-ADTS] [REG: 114102711953179]

Obaid Farooqi obaidf at microsoft.com
Mon Oct 27 09:02:46 MDT 2014

Hi Nadiya:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.

Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: nivanova.samba at gmail.com [mailto:nivanova.samba at gmail.com] On Behalf Of Nadezhda Ivanova
Sent: Monday, October 27, 2014 9:19 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Undelete operation security considerations [MS-ADTS]

Dear Dochelp,
I am currently trying to implement the proper access checking when executing an undelete operation, and I have established that the access rights described in, when granted to a regular Domain User, are not enough to enable that user to perform an Undelete operation.
Some investigation showed that the user also needs List Children permission on the Deleted Objects container, but I can't find this mentioned in ADTS, am I looking in the wrong place?

Also, could you please direct me to where the default security descriptor of a Deleted Objects container (say, after a fresh
installation) is documented? It seems that it is a special case - according to http://support.microsoft.com/kb/892806, inheritance is broken, and even Domain Admins are only allowed a very limited set of rights. I would appreciate some more specific information that the output of the tool,an example SD in SDDL format would be best.

Best Regards,
Nadezhda Ivanova

More information about the cifs-protocol mailing list