[Samba] Administrator lost write privileges to sysvol (Can't add/edit anything using RSAT Tools)

Darren Conte darren.conte at volereservices.com
Mon Jan 27 14:49:40 UTC 2020 

>Perhaps I should have been more explicit, If you have more than one DC
in a domain and only one of those is giving problems, then demote the
problem DC, but if you have only DC (which isn't recommended) then you
have problems,.
>
>As I said, Sysvol is only used for GPOs and Administrator not being able
to write to it is not the fault, but a symptom.
>
>Can you log into a Windows PC as Administrator, connect to a share on a
Unix machine as Administrator and create a file. Then go to the Unix
machine and see who the file was saved as.
>
>Rowland

Rowland - I logged onto a PC as DOMAIN\Administrator and created the two
items below from Windows.  As you can see the owner is 'root'.

root at server:/Shares/Pool# ls -la | grep 'Fred'
drwxrwsrwx+   2 root     users   4096 Jan 27 08:26 Fred
-rwxrwxrwx+   1 root     users   8458 Jan 27 08:26 Fred.odt

When other 'Domain Users' create content within /Shares/Pool, owner = UID
(respectively).
drwxrwsrwx+   4  3000027 users   4096 Jan 27 08:27 Test_Folder

My issue only stems around DOMAIN\Administrator, here's why.  As a test, I
logged in as another Delegated User who was a 'Member of' the Domain Admins
group.  What is strange, is that username has full WRITE privileges to ADUC
and GPO, and can add/edit all objects (which is expected).  So, I
successfully added my username to the 'Members' of Domain Admins, logged
out and was successfully able to verify that I have full WRITE privileges
too.  So again, it seems like removing 'Rodolfo' from 'Domain Admins'
incorrectly only seemed to corrupt DOMAIN\Administrator since that was the
username I was performing the task from.

If that is the case, do you think if I logon as my Delegated User, remove
DOMAIN\Administrator from 'Members' in Domain Admins group, reboot then
re-add it back in, might straighten out the corruption? I don't know if
there would be downstream issues, so I am looking for your input before I
do-so.  Let me know your thoughts?

Darren

More information about the samba mailing list