About ACL

Matthieu Patou mat+Informatique.Samba at matws.net
Sun Oct 11 14:43:25 MDT 2009

On 10/11/2009 11:55 PM, Sassy Natan wrote:
> Hi All
> Can GPO now control the password age, history etc?
GPO can control everything on client
> In Alpha 8 GPO parameters on the Default Domain Policy didn't effect
> the password systems (Which mean they were using the default - Complex
> Password for example)
This is server side (or DC side) parameters, for the moment nothing is 
done, but a set of script should help you already to change some of them.

We had a talk once with Mathias about this, tridge also noted it (check 
My vision is to use inotify api (for linux and equivalent on other os) 
to watch for creation and/or modification of GPO, then use libgpo to 
parse it and then update the interesting attributes in S4 provision that 
needs to be updated.
I'm not sure that everybody share this vision, feel free to contribute a 
solution !

> 10x
> Sassy
> On Sun, Oct 11, 2009 at 9:23 PM, Matthieu Patou<mat at matws.net>  wrote:
>> Hello Nadya,
>> I made a few tests today on GPO and it's back online, good job.
>> Now that's it's working and that I think I found a the root cause of rights
>> problems with GPO (sDrightEffective attribute see bug 6801), I am starting
>> to be more picky about the differences between w2kx and s4.
>> For some reason it seems that s4 is doing inheritance on ACLs when w2kx
>> (w2k3 for sure) is not doing it. It' clearly visible in GPMC because there
>> is a delegation for Pre  Windows 2000 group and Domain Admins group when
>> there is none in w2k3.
>> A deeper analysis on SDDL show it more clearly.
>> For the moment it does no harm but I think it means that we are now
>> calculating all the ACL in the correct way and maybe one day it'll bite us
>> ...
>> I attached to this email sddl for s4 and w2k3, I normalized them so that
>> it's quite easy to see the difference in xxdiff (but any graphical diff
>> would do).
>> Matthieu

More information about the samba-technical mailing list