[Samba] Administrator lost write privileges to sysvol (Can't add/edit anything using RSAT Tools)
Rowland penny
rpenny at samba.org
Mon Jan 27 15:08:57 UTC 2020
On 27/01/2020 14:49, Darren Conte via samba wrote:
>> Perhaps I should have been more explicit, If you have more than one DC
> in a domain and only one of those is giving problems, then demote the
> problem DC, but if you have only DC (which isn't recommended) then you
> have problems,.
>> As I said, Sysvol is only used for GPOs and Administrator not being able
> to write to it is not the fault, but a symptom.
>> Can you log into a Windows PC as Administrator, connect to a share on a
> Unix machine as Administrator and create a file. Then go to the Unix
> machine and see who the file was saved as.
>> Rowland
> Rowland - I logged onto a PC as DOMAIN\Administrator and created the two
> items below from Windows. As you can see the owner is 'root'.
>
> root at server:/Shares/Pool# ls -la | grep 'Fred'
> drwxrwsrwx+ 2 root users 4096 Jan 27 08:26 Fred
> -rwxrwxrwx+ 1 root users 8458 Jan 27 08:26 Fred.odt
Good, this is what I expected and shows that Administrator is being
mapped to 'root'
>
> When other 'Domain Users' create content within /Shares/Pool, owner = UID
> (respectively).
> drwxrwsrwx+ 4 3000027 users 4096 Jan 27 08:27 Test_Folder
>
> My issue only stems around DOMAIN\Administrator, here's why. As a test, I
> logged in as another Delegated User who was a 'Member of' the Domain Admins
> group. What is strange, is that username has full WRITE privileges to ADUC
> and GPO, and can add/edit all objects (which is expected). So, I
> successfully added my username to the 'Members' of Domain Admins, logged
> out and was successfully able to verify that I have full WRITE privileges
> too. So again, it seems like removing 'Rodolfo' from 'Domain Admins'
> incorrectly only seemed to corrupt DOMAIN\Administrator since that was the
> username I was performing the task from.
This is very strange, is Administrator a member of Domain Admins ? or
did you change 'Administrator' to 'Rodolfo' ? (those may actually be the
same question)
> If that is the case, do you think if I logon as my Delegated User, remove
> DOMAIN\Administrator from 'Members' in Domain Admins group, reboot then
> re-add it back in, might straighten out the corruption? I don't know if
> there would be downstream issues, so I am looking for your input before I
> do-so. Let me know your thoughts?
It should show in Domain Admins like this:
member: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
And 'Domain Admins' should be a member of 'Administrators'
Can you dump the following objects from AD, sanitise them and then post
them:
CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com
CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
One other thing, can you please reply to the mailing list, I do not know
what you are actually doing, but it is breaking the thread ;-)
Rowland
More information about the samba
mailing list