[Samba] Everyone ACL problem

Rowland Penny rpenny at samba.org
Sun Nov 27 11:13:43 UTC 2016

On Sun, 27 Nov 2016 10:38:39 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> to fix this, try the following
> remove the content in the sysvol folder (move it away)
> run samba-tool with sysvol reset
> copy the content back
> with now setfacl copy the acl recursive to the 'domain folder' in vol
> back.
>  now on a windows open group policy editor 
> klik on the gp objects. if needed , it say i needs some right fix.
> when this is done dont sysvol reset anymore.
> this is a small bug in 4.4.5
> greetz 
> louis

As I said, the OP has modified one of the default policies, the
'Domain {31B2F340-016D-11D2-945F-00C04FB984F9} GPO' to be precise. This
goes against Microsoft best practice and the result is that the 'Group'
is now 'Domain Users' instead of 'BUILTIN Administrators'.

This is one of the problems with sysvolreset/check, the default GPOs
belong to Local Administrtor:BUILTIN Administrators, any other GPOs will
belong to the same owner:group. This is actually wrong, the main
folders should all belong to Builtin Administrators:SYSTEM

This is not a small bug, it is a big bug


More information about the samba mailing list