[Samba] Windows ACL clarification for Roaming Profiles share
Marc Muehlfeld
mmuehlfeld at samba.org
Sat Feb 18 00:14:57 UTC 2017
Hi Louis,
Am 17.02.2017 um 09:26 schrieb L.P.H. van Belle via samba:
>> What uses the SYSTEM principal on the Sysvol share?
>
> Every computer or user the has a GPO set.
You may be right that "computer" GPOs are applied locally using the
SYSTEM account. However, this is _local_ and the computer does not
access the Sysvol share using the SYSTEM account. To download the
computer GPOs, the machine account is used to connect to the share.
Per-user GPOs are downloaded using the user's permissions and applied to
the user's files and registry (HKCU).
However, I gave it a try, to see if my knowledge is meanwhile outdated:
- I removed the SYSTEM account from the Sysvol share including from all
subfolders.
- I created two GPOs in the "Default domain policy":
- I set a different background for the logon screen (computer)
- I removed the "change password" entry from the
CTRL+ALT+DEL menu (user)
- I mapped the Sysvol share using GPO preferences (user)
- I rebooted my Win10 client.
After the reboot, the background was changed and after I logged in, the
entry was hidden in the menu and the share connected. The Sysvol share
works without SYSTEM account in the ACLs locally on the share.
Give it a try if you don't believe me. :-)
> Do read:
> https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
> And see here, Security options :
> Computer Configuration , by default the task is run in the security context of the SYSTEM account.
This is about tasks that run locally. And locally on a Windows machine
is where the SYSTEM account is usually used. If the local SYSTEM Account
tries to access a network resource, it uses the machine account to
authenticate.
That's why it is not necessary to add SYSTEM to the file system ACLs on
a Samba share: SYSTEM is just an account that exists _locally_ and is
not used when connecting to network resources.
If you have anything (a service, a task job, etc.) running on your
_local_ computer that uses the SYSTEM account, then SYSTEM must be of
course added to the local file system ACLs if this task, etc. should be
able to access _local_ files.
Here's a nice explanation of the SYSTEM account:
https://abhijitw.wordpress.com/2012/03/03/the-local-system-account/
See also:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190%28v=vs.85%29.aspx
https://support.microsoft.com/en-us/help/120929/how-the-system-account-is-used-in-windows
Regards,
Marc
More information about the samba
mailing list