Status on GPO ACLs

Andrew Bartlett abartlet at
Mon Nov 12 23:09:36 MST 2012

On Mon, 2012-11-05 at 23:23 -0800, Matthieu Patou wrote:
> On 11/05/2012 03:13 AM, Andrew Bartlett wrote:
> > The status for me on GPO ACLs is that I've written more tests (attached
> > for the curious), but not ready as they don't pass make test.
> >
> > The new code is a 'samba-tool gpo aclcheck' command.  It is very much
> > the same idea as 'samba-tool ntacl sysvolcheck', but remote, and so can
> > be run against windows.
> >
> > The more serious issue is while they almost pass in Samba4, they don't
> > even come close on Windows 2008R2.  They show that everything I thought
> > I knew about GPO ACLs I don't know - the dsacl2fsacl function is not
> > what happens on a windows DC, at least for the default group policy at
> > install time.
> This function was created after a long discussion with MS on how to 
> translate the DS acl of GPO to FS acl, it might be worth asking one more 
> time it might have changed with the time.
> Most of the tests were done with Windows 2003 server if I recall well 
> and with windows XP clients when resetting the ACLs. When you adprep a 
> Windows 2003 to Windows 2003R2 you have an option for updating GPO's 
> ACLs it might mean that there 2 rules ... one for before w2k3r2 and one 
> for after.
> > I need to play around more, but in short I need to understand the
> > requirements here much better before I proceed on any more work to 'fix'
> > the code any further.
> Matthieu.


I've been looking at this again, and we are closer than I feared,
particularly if we look at new GPOs created on windows, not just the
existing ones. 

The biggest difference appears to be the SACL - if we eliminate that, a
new GPO matches. 

I came across your threads with dochelp, and it certainly looks like you
have covered this pretty comprehensively otherwise.

Hopefully this means we are at the end of the road here, which would be
a great relief. 


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list