[Samba] Samba4 and sysvol share

Matthieu Patou mat at samba.org
Wed Sep 28 12:46:53 MDT 2011

On 28/09/2011 04:59, felix at epepm.cupet.cu wrote:
>>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
>>>> Hello.
>>>> I noticed that any domain user can delete the content of the shared
>>>> folder
>>>> sysvol in the domain controller from a windows client.
>>>> How can I avoid that?
>>>> Greetings,
>>>> Felix
>>> What's the default windows behavior with this ?
>>> Matthieu.
>> Windows users              Windows permissions
>> -------------------------------------------------
>> Domain Admins----------->  Full Access
>> Authenticated Users------>  Read&  Execute, List folder contents, Read
>> CREATOR OWNER----------->  Special permissions (Maybe we don't need this)
>> Server Operators-------->  Read&  Execute, List folder contents, Read
>> SYSTEM------------------>  Full Access
> I think that what it is needed here is:
> Domain Admins------------->  Full Access
> and everybody else-------->  Read&  Execute, List folder contents, Read
> I think that GPOs and some scripts are delivered to windows clients
> through sysvol, that's why I don't want any of my users to be able to
> delete the sysvol content.
> What should I do to accomplish that goal?
In theory we should have the ACLs ok, I have to check this things but it 
won't be before next week I'm at IOLAB with microsoft this week focusing 
on FRS replication.



Matthieu Patou
Samba Team

More information about the samba mailing list