[Samba] Samba4 and sysvol share

Matthieu Patou mat at samba.org
Mon Nov 7 02:56:54 MST 2011

Hello Felix,

Sorry for the very late answer,

On 27/09/2011 23:37, felix at epepm.cupet.cu wrote:
>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
>>> Hello.
>>> I noticed that any domain user can delete the content of the shared
>>> folder
>>> sysvol in the domain controller from a windows client.
>>> How can I avoid that?
>>> Greetings,
>>> Felix
>> What's the default windows behavior with this ?
> Windows users              Windows permissions
> -------------------------------------------------
> Domain Admins----------->  Full Access
> Authenticated User------>  Read&  Execute, List folder contents, Read
> CREATOR OWNER----------->  Special permissions (Maybe we don't need this)
> Server Operators-------->  Read&  Execute, List folder contents, Read
> SYSTEM------------------>  Full Access
> Thanks for your attention.
> Felix.
Well I remade a test today, in gpmc.msc (group policy management 
console), I have no errors from Windows about the ACLs of the folders 
for my policies.

I also ran XCACLS.vbs (can be found here: http://bit.ly/sOCc2E) on v: (I 
mapped \\server.domain.tld\sysvol to v:)

V:\>cscript "\\VBOXSVR\exchange\windows admin\XCACLS.vbs" v:
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Starting XCACLS.VBS (Version: 5.2) Script at 07/11/2011 10:40:24

Startup directory:

Arguments Used:
         Filename = "v:"

Directory: V:\

ControlFlags: 36868
Type     Username                Permissions           Inheritance

Allowed  BUILTIN\Administrators  Full Control          This Folder, Subfolde
Allowed  \                       Read and Execute      This Folder, Subfolde
Allowed  NT AUTHORITY\SYSTEM     Full Control          This Folder, Subfolde
Allowed  NT AUTHORITY\Authentica Read and Execute      This Folder, Subfolde

No Auditing set

Owner: TEST\administrator

Operation Complete
Elapsed Time: 0,6328125 seconds.

Ending Script at 07/11/2011 10:40:24

As you can see no write access from the "normal" user (authenticated 
users), just a read and execute access.

For info here is my net use:

V:\>net use
New connections will be remembered.

Status       Local     Remote                    Network

OK           V:        \\ares.test.samba.home.matws.net\sysvol
                                                 Microsoft Windows Network

Matthieu Patou
Samba Team

More information about the samba-technical mailing list