[Samba] Samba4 and sysvol share
Matthieu Patou
mat at samba.org
Wed Sep 28 12:46:53 MDT 2011
On 28/09/2011 04:59, felix at epepm.cupet.cu wrote:
>>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
>>>> Hello.
>>>> I noticed that any domain user can delete the content of the shared
>>>> folder
>>>> sysvol in the domain controller from a windows client.
>>>>
>>>> How can I avoid that?
>>>>
>>>> Greetings,
>>>> Felix
>>>>
>>> What's the default windows behavior with this ?
>>>
>>> Matthieu.
>>>
>> Windows users Windows permissions
>> -------------------------------------------------
>> Domain Admins-----------> Full Access
>> Authenticated Users------> Read& Execute, List folder contents, Read
>> CREATOR OWNER-----------> Special permissions (Maybe we don't need this)
>> Server Operators--------> Read& Execute, List folder contents, Read
>> SYSTEM------------------> Full Access
>>
> I think that what it is needed here is:
> Domain Admins-------------> Full Access
> and everybody else--------> Read& Execute, List folder contents, Read
>
> I think that GPOs and some scripts are delivered to windows clients
> through sysvol, that's why I don't want any of my users to be able to
> delete the sysvol content.
>
> What should I do to accomplish that goal?
In theory we should have the ACLs ok, I have to check this things but it
won't be before next week I'm at IOLAB with microsoft this week focusing
on FRS replication.
Sorry.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba
mailing list