[Samba] Administrator lost write privileges to sysvol (Can't add/edit anything using RSAT Tools)

Rowland penny rpenny at samba.org
Mon Jan 27 15:08:57 UTC 2020 

On 27/01/2020 14:49, Darren Conte via samba wrote:
>> Perhaps I should have been more explicit, If you have more than one DC
> in a domain and only one of those is giving problems, then demote the
> problem DC, but if you have only DC (which isn't recommended) then you
> have problems,.
>> As I said, Sysvol is only used for GPOs and Administrator not being able
> to write to it is not the fault, but a symptom.
>> Can you log into a Windows PC as Administrator, connect to a share on a
> Unix machine as Administrator and create a file. Then go to the Unix
> machine and see who the file was saved as.
>> Rowland
> Rowland - I logged onto a PC as DOMAIN\Administrator and created the two
> items below from Windows.  As you can see the owner is 'root'.
>
> root at server:/Shares/Pool# ls -la | grep 'Fred'
> drwxrwsrwx+   2 root     users   4096 Jan 27 08:26 Fred
> -rwxrwxrwx+   1 root     users   8458 Jan 27 08:26 Fred.odt
Good, this is what I expected and shows that Administrator is being 
mapped to 'root'
>
> When other 'Domain Users' create content within /Shares/Pool, owner = UID
> (respectively).
> drwxrwsrwx+   4  3000027 users   4096 Jan 27 08:27 Test_Folder
>
> My issue only stems around DOMAIN\Administrator, here's why.  As a test, I
> logged in as another Delegated User who was a 'Member of' the Domain Admins
> group.  What is strange, is that username has full WRITE privileges to ADUC
> and GPO, and can add/edit all objects (which is expected).  So, I
> successfully added my username to the 'Members' of Domain Admins, logged
> out and was successfully able to verify that I have full WRITE privileges
> too.  So again, it seems like removing 'Rodolfo' from 'Domain Admins'
> incorrectly only seemed to corrupt DOMAIN\Administrator since that was the
> username I was performing the task from.
This is very strange, is Administrator a member of Domain Admins ? or 
did you change 'Administrator' to 'Rodolfo' ? (those may actually be the 
same question)
> If that is the case, do you think if I logon as my Delegated User, remove
> DOMAIN\Administrator from 'Members' in Domain Admins group, reboot then
> re-add it back in, might straighten out the corruption? I don't know if
> there would be downstream issues, so I am looking for your input before I
> do-so.  Let me know your thoughts?

It should show in Domain Admins like this:

member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com

And 'Domain Admins' should be a member of 'Administrators'

Can you dump the following objects from AD, sanitise them and then post 
them:

CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com

CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com

CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com

One other thing, can you please reply to the mailing list, I do not know 
what you are actually doing, but it is breaking the thread ;-)

Rowland

More information about the samba mailing list