Status on GPO ACLs

Matthieu Patou mat at matws.net
Tue Nov 6 00:23:56 MST 2012


On 11/05/2012 03:13 AM, Andrew Bartlett wrote:
> The status for me on GPO ACLs is that I've written more tests (attached
> for the curious), but not ready as they don't pass make test.
>
> The new code is a 'samba-tool gpo aclcheck' command.  It is very much
> the same idea as 'samba-tool ntacl sysvolcheck', but remote, and so can
> be run against windows.
>
> The more serious issue is while they almost pass in Samba4, they don't
> even come close on Windows 2008R2.  They show that everything I thought
> I knew about GPO ACLs I don't know - the dsacl2fsacl function is not
> what happens on a windows DC, at least for the default group policy at
> install time.
This function was created after a long discussion with MS on how to 
translate the DS acl of GPO to FS acl, it might be worth asking one more 
time it might have changed with the time.

Most of the tests were done with Windows 2003 server if I recall well 
and with windows XP clients when resetting the ACLs. When you adprep a 
Windows 2003 to Windows 2003R2 you have an option for updating GPO's 
ACLs it might mean that there 2 rules ... one for before w2k3r2 and one 
for after.
> I need to play around more, but in short I need to understand the
> requirements here much better before I proceed on any more work to 'fix'
> the code any further.
Matthieu.


More information about the samba-technical mailing list