[Samba] Everyone ACL problem
Rowland Penny
rpenny at samba.org
Sun Nov 27 11:13:43 UTC 2016
On Sun, 27 Nov 2016 10:38:39 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> to fix this, try the following
>
> remove the content in the sysvol folder (move it away)
> run samba-tool with sysvol reset
>
> copy the content back
> with now setfacl copy the acl recursive to the 'domain folder' in vol
> back.
>
> now on a windows open group policy editor
> klik on the gp objects. if needed , it say i needs some right fix.
>
> when this is done dont sysvol reset anymore.
>
> this is a small bug in 4.4.5
>
> greetz
> louis
>
As I said, the OP has modified one of the default policies, the
'Domain {31B2F340-016D-11D2-945F-00C04FB984F9} GPO' to be precise. This
goes against Microsoft best practice and the result is that the 'Group'
is now 'Domain Users' instead of 'BUILTIN Administrators'.
This is one of the problems with sysvolreset/check, the default GPOs
belong to Local Administrtor:BUILTIN Administrators, any other GPOs will
belong to the same owner:group. This is actually wrong, the main
folders should all belong to Builtin Administrators:SYSTEM
This is not a small bug, it is a big bug
Rowland
More information about the samba
mailing list