[Samba] GPO fail and sysvol perm errors

Rowland penny rpenny at samba.org
Wed Oct 28 16:55:37 UTC 2020


On 28/10/2020 16:37, Sonic via samba wrote:
> For completeness:
> The existing GPO:
> # samba-tool ntacl get --as-sddl \{07AF723D-5FFD-4807-B3C6-DFCE911B922A\}/
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> The newly created GPO:
> # samba-tool ntacl get --as-sddl \{0C0B713E-EE65-4ACE-88AE-25125E2AAE00\}/
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> Chris
>
If you look very carefully at the two ACL's, the only difference is at 
the start, one has:

O:DAG:DAD:P

The other:

O:DAG:DAD:PAI

If we break them down:

O = Owner

DA = Domain Admins

G = Group

DA = Domain Admins

P = PROTECTED

AI = AUTO_INHERITED

The only difference is the 'AI'

Rowland





More information about the samba mailing list