Rowland.
I´m having a problem because i can´t remove 2 policy: Default Domain Policy and Default Domain Controllers Policy.
Do you know a way to repair this both?
It is my recommendation to not give Domain Admins a gidNumber and not
to run sysvolreset if you add any GPOs.
On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:
It is my recommendation to not give Domain Admins a gidNumber and
not to run sysvolreset if you add any GPOs.
anybody who uses idmap ad on a samba member server should give domain
users and domain admins a gidnumber actually. This does not affect
sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307,
what I would not recommend to do.
Björn
-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@lists.samba.org] Namens Rowland Penny via samba
Verzonden: maandag 20 maart 2017 15:44
Aan: samba@lists.samba.org
Onderwerp: Re: [Samba] Problem sysvolreset
On Mon, 20 Mar 2017 15:27:33 +0100
Björn JACKE via samba <samba@lists.samba.org> wrote:
On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:
It is my recommendation to not give Domain Admins a gidNumber and
not to run sysvolreset if you add any GPOs.
anybody who uses idmap ad on a samba member server should give domain
users and domain admins a gidnumber actually. This does not affect
sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307,
what I would not recommend to do.
Björn
Hi Bjorn,
You can recommend not doing something until you are blue in the face,
but you will not stop people doing it. ;-)
If you give Domain Admins a gidNumber, it breaks the mapping in
idmap.ldb and stops Domain Admins being able to own files and dirs in
sysvol and Domain Admins needs to own files and dirs in sysvol.
Rowland
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Im questioning this because of the following.
What is "Domain Admins" doing with rights on SYSVOL anyway.. ??
There should not be any "domain admins" at all on sysvol share and
security rights.
Op 20 mrt. 2017 om 17:26 heeft Rowland Penny <rpenny@samba.org> het volgende geschreven:
On Mon, 20 Mar 2017 16:36:34 +0100
"L.P.H. van Belle via samba" <samba@lists.samba.org> wrote:
Im questioning this because of the following.
What is "Domain Admins" doing with rights on SYSVOL anyway.. ??
There should not be any "domain admins" at all on sysvol share and
security rights.
If you create a GPO on a 2102R2 DC, you get this on the GUID dir:
"O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)"
O = owner
G = group
DA = Domain Admins
Rowland
Hai Rowland,
Can post your exact command you used, so im sure i dont get different outputs.
Hai,
Here you go my output of the R2008R2. (64bit)
1) original GPO from the install ( the domain controller policy )
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
Owner : BUILTIN\Administrators
Group : NT AUTHORITY\SYSTEM
2) and just now created GPO, didnt touch it at al.
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{EDC26216-625D-42D7-8443-9003D427DEF5}
Owner : ROTTERDAM\Domain Admins
Group : ROTTERDAM\Domain Admins
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
ROTTERDAM\Domain Admins Allow FullControl
ROTTERDAM\Enterprise Admins Allow FullControl
Audit :
Sddl : O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)
-----Oorspronkelijk bericht-----
Van: Rowland Penny [mailto:rpenny@samba.org]
Verzonden: dinsdag 21 maart 2017 16:38
Aan: L.P.H. van Belle
CC: samba@lists.samba.org
Onderwerp: Re: [Samba] Problem sysvolreset
On Tue, 21 Mar 2017 16:24:31 +0100
L.P.H. van Belle <belle@bazuin.nl> wrote:
Hai Rowland,
Can post your exact command you used, so im sure i dont get different
outputs.
OK, on a windows 21012R2 DC:
Get-Acl
C:|Windows\SYSVOL\sysvol\domain.local\Policies\'{5FD30AA2-B678-422C-9C0E-
4E270488EDE4}'
| Format-List
NOTE: The above is all one line.
Which leads to this output:
Path :sysvol\DOMAIN.LOCAL\Policies\{5FD30AA2-B678-422C-9C0E-
4E270488EDE4}
Owner : HOME\Domain Admins Group : HOME\Domain Admins
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute,
Synchronize
NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
HOME\Domain Admins Allow FullControl
HOME\Enterprise Admins Allow FullControl
Audit :
Sddl :
O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU
)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-
4157658249-429813502-519)
Rowland
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 293 |
Nodes: | 16 (2 / 14) |
Uptime: | 210:52:37 |
Calls: | 6,619 |
Calls today: | 1 |
Files: | 12,168 |
Messages: | 5,317,250 |