[Samba] Problem sysvolreset

Rowland Penny rpenny at samba.org
Tue Mar 7 18:48:41 UTC 2017

On Tue, 7 Mar 2017 10:26:03 -0800
Kris Lou via samba <samba at lists.samba.org> wrote:

> Hang on, can you explain this a little further?  I thought that Domain
> Admins was issued gidNumber 512 by default. In addition, sysvolreset
> is not recommended to fix potential SysVol replication problems with
> GPO perms?

No Domain Admins doesn't get gidNumber 512 by default, it gets the
'RID' 512 by default, bit of a difference there.

Domain Admins gets mapped to an xidNumber in idmap.ldb, but it also
gets mapped as 'ID_TYPE_BOTH', this means that Domain Admins is both a
group and a user and therefore is able to own files etc on Unix.

If you then give Domain Admins a gidNumber, it becomes just a group
and cannot own files as a user does.

Domain Admins needs to own files in sysvol as a user, but sysvolreset 
seems to change the ACLs set when a GPO is added on a windows machine. 

It is my recommendation to not give Domain Admins a gidNumber and not
to run sysvolreset if you add any GPOs.


More information about the samba mailing list