[prev in list] [next in list] [prev in thread] [next in thread]
List: samba
Subject: Re: [Samba] GPO fail and sysvol perm errors
From: Rowland penny via samba <samba () lists ! samba ! org>
Date: 2020-10-28 16:55:37
Message-ID: 1132a86b-19ed-39a9-d485-cfaebf9b140e () samba ! org
[Download RAW message or body]
On 28/10/2020 16:37, Sonic via samba wrote:
> For completeness:
> The existing GPO:
> # samba-tool ntacl get --as-sddl \{07AF723D-5FFD-4807-B3C6-DFCE911B922A\}/
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO \
> )(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> The newly created GPO:
> # samba-tool ntacl get --as-sddl \{0C0B713E-EE65-4ACE-88AE-25125E2AAE00\}/
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;; \
> CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> Chris
>
If you look very carefully at the two ACL's, the only difference is at
the start, one has:
O:DAG:DAD:P
The other:
O:DAG:DAD:PAI
If we break them down:
O = Owner
DA = Domain Admins
G = Group
DA = Domain Admins
P = PROTECTED
AI = AUTO_INHERITED
The only difference is the 'AI'
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic