About ACL

Sassy Natan sassyn at gmail.com
Sun Oct 11 13:55:28 MDT 2009

Hi All

Can GPO now control the password age, history etc?

In Alpha 8 GPO parameters on the Default Domain Policy didn't effect
the password systems (Which mean they were using the default - Complex
Password for example)



On Sun, Oct 11, 2009 at 9:23 PM, Matthieu Patou <mat at matws.net> wrote:
> Hello Nadya,
> I made a few tests today on GPO and it's back online, good job.
> Now that's it's working and that I think I found a the root cause of rights
> problems with GPO (sDrightEffective attribute see bug 6801), I am starting
> to be more picky about the differences between w2kx and s4.
> For some reason it seems that s4 is doing inheritance on ACLs when w2kx
> (w2k3 for sure) is not doing it. It' clearly visible in GPMC because there
> is a delegation for Pre  Windows 2000 group and Domain Admins group when
> there is none in w2k3.
> A deeper analysis on SDDL show it more clearly.
> For the moment it does no harm but I think it means that we are now
> calculating all the ACL in the correct way and maybe one day it'll bite us
> ...
> I attached to this email sddl for s4 and w2k3, I normalized them so that
> it's quite easy to see the difference in xxdiff (but any graphical diff
> would do).
> Matthieu

More information about the samba-technical mailing list