[Samba] dsacl

Rowland Penny rowlandpenny at googlemail.com
Fri Feb 20 08:34:50 MST 2015

On 19/02/15 23:33, Felipe_G0NZ4LEZ_S4NTI4G0(); wrote:
> I am trying to grant or denied access to a user for changing his passwd, it's the option: User cannot change passwd. For this, I am trying to use samba-tool dsacl set [option], but I am not sure of its syntax. Could you help me with that? I need to denied this permission without use ADUC or any private tool. My Regards!

Hi, the syntax is (OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) 
*AND* (OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)

These ACE's will be found in the users 'nTSecurityDescriptor' attribute 
and it is a bit more involved than just adding them with 'samba-tool', 
the originals must be replaced, or to be more precise, the entire ACL 
must be replaced.


More information about the samba mailing list