Domain controller security policy tool
Matthieu Patou
mat at samba.org
Wed May 19 15:37:07 MDT 2010
Hello Anatoly,
> Hi Matthieu,
>
> I have to open that tool and edit User Rights Assignment like so:
> * Add the 'Manage Security' group to the 'Manage Auditing and Security Log' policy.
> How can I open that tool against Samba at all?
> Is this possible to do with Samba?
> Is this working via LDAP or else?
>
>
Thanks for pointing me this ... as I suspected, this tool is just a
shortcut to edit the default domain controler policy.
You can acheive the same by editing the default domain controler policy
in gpmc (with w7/w2k8r2), path in the tool is:
Computer Policy -> Windows Settings -> Security Settings -> local policy
-> User righs assigments
I turns out that this modify this file:
/home/mat/workspace/samba/homematwsnet/sysvol/home.matws.net/Policies/\{E516A47C-5E5B-4A3D-8F5F-167510F8C1AC\}/MACHINE/Microsoft/Windows\
NT/SecEdit/GptTmpl.inf
where {E516A47C-5E5B-4A3D-8F5F-167510F8C1AC} is the guid of the policy
and
/home/mat/workspace/samba/homematwsnet/sysvol/home.matws.net/Policies/
the path on linux for policies.
Here is the content of the file (it's utf16).
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeSecurityPrivilege = *S-1-5-32-544
So basicaly you should be able to just put a utf16 encoded file + create
folders + do a little trick on policy control file GPT.ini at the root
of the default domain policy folder.
But please ask wilco because he is a guru on server side policy
manipulation.
Cheers, Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
More information about the samba-technical
mailing list