[Samba] Samba4 and sysvol share

felix at epepm.cupet.cu felix at epepm.cupet.cu
Wed Sep 28 12:55:53 MDT 2011

> On 28/09/2011 04:59, felix at epepm.cupet.cu wrote:
>>>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
>>>>> Hello.
>>>>> I noticed that any domain user can delete the content of the shared
>>>>> folder
>>>>> sysvol in the domain controller from a windows client.
>>>>> How can I avoid that?
>>>>> Greetings,
>>>>> Felix
>>>> What's the default windows behavior with this ?
>>>> Matthieu.
>>> Windows users              Windows permissions
>>> -------------------------------------------------
>>> Domain Admins----------->  Full Access
>>> Authenticated Users------>  Read&  Execute, List folder contents, Read
>>> CREATOR OWNER----------->  Special permissions (Maybe we don't need
>>> this)
>>> Server Operators-------->  Read&  Execute, List folder contents, Read
>>> SYSTEM------------------>  Full Access
>> I think that what it is needed here is:
>> Domain Admins------------->  Full Access
>> and everybody else-------->  Read&  Execute, List folder contents, Read
>> I think that GPOs and some scripts are delivered to windows clients
>> through sysvol, that's why I don't want any of my users to be able to
>> delete the sysvol content.
>> What should I do to accomplish that goal?
> In theory we should have the ACLs ok, I have to check this things but it
> won't be before next week I'm at IOLAB with microsoft this week focusing
> on FRS replication.
> Sorry.
> Matthieu.
I understand. I'll be waiting for an answer.


More information about the samba mailing list