[Samba] Sysvol GPO ACLs problem

Rowland penny rpenny at samba.org
Mon May 11 11:55:06 UTC 2020

On 11/05/2020 12:33, Pablo Sanz Fernández wrote:
> Sorry Rowland, didn't read that part.
> Yes, the 'Domain Admins' group has the gidNumber attribute the value "512", and 'BUILTIN\Server Operators' value "549".

I can sort of understand why 'Domain Admins' has a gidNumber, but why 
'Server operators' ?

The only group from the Windows 'Well Known SIDs' that requires a 
gidNumber attribute is 'Domain Users'. You can give 'Domain Admins' a 
gidNumber, but there is a problem with doing that, it turns the Windows 
group into a Unix group ;-)

That might sound like it isn't a problem, except that a Windows group 
can own files and directories and a Unix group cannot, which is where we 
came in, Domain Admins needs to own things in Sysvol ;-)

I create a group (I use the imaginative name of 'Unix Admins'), give 
this group a gidNumber and make it a member of Domain Admins. Then I use 
the group wherever I would normally use Domain Admins, except for Sysvol.


More information about the samba mailing list