[Samba] GPO fail and sysvol perm errors
Rowland penny
rpenny at samba.org
Wed Oct 28 16:55:37 UTC 2020
On 28/10/2020 16:37, Sonic via samba wrote:
> For completeness:
> The existing GPO:
> # samba-tool ntacl get --as-sddl \{07AF723D-5FFD-4807-B3C6-DFCE911B922A\}/
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> The newly created GPO:
> # samba-tool ntacl get --as-sddl \{0C0B713E-EE65-4ACE-88AE-25125E2AAE00\}/
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> Chris
>
If you look very carefully at the two ACL's, the only difference is at
the start, one has:
O:DAG:DAD:P
The other:
O:DAG:DAD:PAI
If we break them down:
O = Owner
DA = Domain Admins
G = Group
DA = Domain Admins
P = PROTECTED
AI = AUTO_INHERITED
The only difference is the 'AI'
Rowland
More information about the samba
mailing list