[Samba] SeDiskOperatorPrivilege_Privilege

Rowland Penny rpenny at samba.org
Sun Jun 9 16:12:51 UTC 2024 

On Sun, 9 Jun 2024 16:53:30 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:

> Mmm… strange ? Or is this what you were expecting ?

No

> 
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege
> -Uadministrator Password for [MAD\administrator]:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
> 
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege
> -Uadministrator Password for [MAD\administrator]:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
> 
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege
> -UAdministrator Password for [MAD\Administrator]:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
> 
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege
> -U "MAD\Administrator" Password for [MAD\Administrator]:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
> 
> But then:
> 
> root at member:/# net rpc rights list privileges SeDiskOperatorPrivilege
> -Uluis Password for [MAD\luis]:
> SeDiskOperatorPrivilege:
>  BUILTIN\Administrators

But that is !!!

Before I say anything else, I would just like to point out two things:
A) I didn't write the initial wikipage
B) Perhaps things didn't work as they should have done when the
wikipage was first written.

OK, Windows has the concept of 'nested groups', which means that a
group that is a member of another group inherits all the permissions
and privileges of the group it is a member of.

Now what does this mean ? As you have proved, by default,
BUILTIN\Administrators has the SeDiskOperatorPrivilege and guess what
group is a default member of BUILTIN\Administrators, yes, it's Domain
Admins. this means you do not have to give Domain Admins the
SeDiskOperatorPrivilege, it already gets it from BUILTIN\Administrators.

I will update the wikipage.

Rowland

More information about the samba mailing list