sysvol permissions
Rowland Penny
repenny241155 at gmail.com
Mon Jun 27 18:51:15 UTC 2016
Hi, in provision '__init__.py , the permissions for sysvol and the
policies directory are set to this:
SYSVOL_ACL =
"O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
POLICIES_ACL =
"O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
But on this Microsoft webpage:
https://technet.microsoft.com/en-us/library/cc816750%28v=ws.10%29.aspx
They are shown as this:
"%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
"%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
Which would mean that they should be set to:
SYSVOL_ACL =
"O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
POLICIES_ACL =
"O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
This is basically the same as Samba's but with the addition of 'Creator
Owner'
Finally, the owner is given as 'O:LA', this comes up time and time again
on the Samba mailing list, 'sysvolreset' errors out because the owner
has been changed to 'O:DA', presumably when a GPO is added.
Now before I waste my time creating a Patch to correct the above
problems, has anybody got any objections to the changes i.e. changing
the owner and adding 'Creator Owner'
Rowland
More information about the samba-technical
mailing list