sysvol permissions

Rowland Penny repenny241155 at gmail.com
Mon Jun 27 18:51:15 UTC 2016


Hi, in provision '__init__.py , the permissions for sysvol and the 
policies directory are set to this:

SYSVOL_ACL = 
"O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
POLICIES_ACL = 
"O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"

But on this Microsoft webpage:

https://technet.microsoft.com/en-us/library/cc816750%28v=ws.10%29.aspx

They are shown as this:

"%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"

"%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"


Which would mean that they should be set to:

SYSVOL_ACL = 
"O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
POLICIES_ACL = 
"O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"

This is basically the same as Samba's but with the addition of 'Creator 
Owner'

Finally, the owner is given as 'O:LA', this comes up time and time again 
on the Samba mailing list, 'sysvolreset' errors out because the owner 
has been changed to 'O:DA', presumably when a GPO is added.

Now before I waste my time creating a Patch to correct the above 
problems, has anybody got any objections to the changes i.e. changing 
the owner and adding 'Creator Owner'

Rowland





More information about the samba-technical mailing list