[Samba] Rights issue on GPO
rpenny at samba.org
Mon Jun 27 18:14:45 UTC 2016
On 27/06/16 14:13, L.P.H. van Belle wrote:
>> Two things Louis:
>> if you look very closely at the differences in the 'ERROR' message, you
>> will find the only difference is this:
>> against the expected:
>> The returned ACL is owned by the 'Local Admins', but it should be owned
>> by 'Domain Admins'. As far as I can see, windows doesn't really care who
>> owns an object, as long as the ACEs are correct and they are!
>> Secondly, more than happy to try adding a GPO, only problem is, I have
>> never really added one, can you point me at a good howto ?
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> Hai Rowland,
> I just checked on a windows 2008 R2 server.
> Sysvol security rights should be.
> DOMAIN\Server Operators
> Creator Owner
> Authenticated Users
> DOMAIN\Administrators contains :
> "Domain Admins",Adminstrator and "Enterprise Admins"
Hi Louis, I have been doing some checking and found this microsoft page:
It lists the default settings and it doesn't match either your list or
what Samba uses, it uses:
Samba uses this:
Which boils down to:
There is no 'Creator Owner'
The ACL for the Policies directory doesn't have 'Creator Owner' either
and according to the microsoft page, it should.
> And the "DOMAIN\Adminstrators" is in the Buildin OU.
> And same for "DOMAIN\Users" contains:
> Authenticated Users, Domain Users, INTERACTIVE)
> So imo this is a bug as Achim told.
> Alle local security groups must map correctly.
> And but must try to not mix BUILDIN\localgroup and DOMAIN\localgroup
> So imo, if samba is uses as standalone server all Security groups map to BUILDIN\localgroups.
> And when its a domain AD DC server.
> BUILDIN maps to OU=Buildin and here are the correct groups like DOMAIN\localgroups
More information about the samba