a few SD questions

Matthieu Patou mat at matws.net
Sun Nov 22 13:15:38 MST 2009 

Hello nadya,

I made some tests today with GPO and it seems that things are getting a 
lot more better

Below it's the SD for a newly created policy, it quite OK just we have 
the duplicate ACL for Domain Admins due to the fact that the creator 
owner is Domain Admin. Also I think that we should have the AI control 
flag as the SD is DACL_PROTECTED and that it has some (all?) ACL from 
the parent SD. Also those inherited ACE should have the flag DI 
(although it isn't very clear what is the effect of this flag, seems 
more cosmetic than something else to me).

O:S-1-5-21-487418869-183637953-2310109715-512G:
S-1-5-21-487418869-183637953-2310109715-513D:P
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-2310109715-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
  1-487418869-183637953-2310109715-519)
(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-
 
487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;C
  I;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
  1d1-b41d-00a0c968f939;;AU)
(A;CI;RPLCLORC;;;ED)
S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
 
-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP
 
;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD
  )



In the same time here is the SD for a newly create gpo in w2k3:
They are identical for the DACL part, there is still some difference on 
the sacl part. Also it's worth noting that the group is different

O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746857408-2662927446-512
D:PAI
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446-512)
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446-519)
(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446-512)
(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
(A;CI;RPLCLORC;;;AU)
(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
(A;CI;RPLCLORC;;;ED)
S:AI
(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)


Matthieu.

More information about the samba-technical mailing list