[Samba] Problem sysvolreset
Rowland Penny
rpenny at samba.org
Tue Mar 7 18:48:41 UTC 2017
On Tue, 7 Mar 2017 10:26:03 -0800
Kris Lou via samba <samba at lists.samba.org> wrote:
> Hang on, can you explain this a little further? I thought that Domain
> Admins was issued gidNumber 512 by default. In addition, sysvolreset
> is not recommended to fix potential SysVol replication problems with
> GPO perms?
>
No Domain Admins doesn't get gidNumber 512 by default, it gets the
'RID' 512 by default, bit of a difference there.
Domain Admins gets mapped to an xidNumber in idmap.ldb, but it also
gets mapped as 'ID_TYPE_BOTH', this means that Domain Admins is both a
group and a user and therefore is able to own files etc on Unix.
If you then give Domain Admins a gidNumber, it becomes just a group
and cannot own files as a user does.
Domain Admins needs to own files in sysvol as a user, but sysvolreset
seems to change the ACLs set when a GPO is added on a windows machine.
It is my recommendation to not give Domain Admins a gidNumber and not
to run sysvolreset if you add any GPOs.
Rowland
More information about the samba
mailing list