Hai,
Here you go my output of the R2008R2. (64bit)
1) original GPO from the install ( the domain controller policy )
Path :
Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
Owner : BUILTIN\Administrators
Group : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow 268435456
NT AUTHORITY\Authenticated Users Allow -1610612736
NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Administrators Allow Write, ReadAndExecute, ChangePermissions,
TakeOwnership, Synchronize
BUILTIN\Server Operators Allow ReadAndExecute, Synchronize
Audit :
Sddl :
O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;G
A;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)
The one with numbers like CREATOR OWNER Allow 268435456
Are users/groups with special rights.
2) and just now created GPO, didnt touch it at al.
Path :
Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{EDC26216-625D-42D7-8443-9003D427DEF5}
Owner : ROTTERDAM\Domain Admins
Group : ROTTERDAM\Domain Admins
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute,
Synchronize
NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
ROTTERDAM\Domain Admins Allow FullControl
ROTTERDAM\Enterprise Admins Allow FullControl
Audit :
Sddl :
O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;
OICI;FA;;;EA)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org]
> Verzonden: dinsdag 21 maart 2017 16:38
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem sysvolreset
>
> On Tue, 21 Mar 2017 16:24:31 +0100
> L.P.H. van Belle <belle at bazuin.nl> wrote:
>
> > Hai Rowland,
> >
> > Can post your exact command you used, so im sure i dont get different
> > outputs.
> >
>
> OK, on a windows 21012R2 DC:
>
> Get-Acl
>
C:|Windows\SYSVOL\sysvol\domain.local\Policies\'{5FD30AA2-B678-422C-9C0E-
> 4E270488EDE4}'
> | Format-List
>
> NOTE: The above is all one line.
>
> Which leads to this output:
>
> Path :sysvol\DOMAIN.LOCAL\Policies\{5FD30AA2-B678-422C-9C0E-
> 4E270488EDE4}
> Owner : HOME\Domain Admins Group : HOME\Domain Admins
> Access : CREATOR OWNER Allow FullControl
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute,
> Synchronize
> NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
> NT AUTHORITY\SYSTEM Allow FullControl
> HOME\Domain Admins Allow FullControl
> HOME\Enterprise Admins Allow FullControl
> Audit :
> Sddl :
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU
> )(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-
> 4157658249-429813502-519)
>
> Rowland
>
On Tue, 21 Mar 2017 17:09:22 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > > > Here you go my output of the R2008R2. (64bit) > > > > 1) original GPO from the install ( the domain controller policy ) > > Path : > Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} > > Owner : BUILTIN\Administrators > > Group : NT AUTHORITY\SYSTEM >This is the same as what I found, the default policies get the above ownership.> > 2) and just now created GPO, didnt touch it at al. > > Path : > Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{EDC26216-625D-42D7-8443-9003D427DEF5} > > Owner : ROTTERDAM\Domain Admins > > Group : ROTTERDAM\Domain Admins > > Access : CREATOR OWNER Allow FullControl > > NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow > ReadAndExecute, Synchronize > > NT AUTHORITY\Authenticated Users Allow ReadAndExecute, > Synchronize > > NT AUTHORITY\SYSTEM Allow FullControl > > ROTTERDAM\Domain Admins Allow FullControl > > ROTTERDAM\Enterprise Admins Allow FullControl > > Audit : > > Sddl : > O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)Now do you believe me when I say Domain Admins shouldn't have a gidNumber ? Rowland
No,
I dont agree/believe you.. ... because of my setup.
On the a samba member. ( 4.5/4.6)
getent group "Domain Admins"
domain admins:x:10001:admin,administrator
I run more then a year like this.
On the Samba DC ( 4.5.3)
NTDOM\domain admins:x:3000008
All others are ok on the dc.
BAZRTD\domain users:x:10000
BAZRTD\domain guests:x:10002:
It works fine here, this is what i want.
Yes the ID on the DC and Members are different, but that i dont mind,
This is on my samba DC.
# file:
var/lib/samba/sysvol/som.dome.tld/Policies/{12347FD-61B1-446E-ACEA-907BCA12E0E1}/
# owner: root
# group: BAZRTD\134domain\040admins
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::---
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
so again why not?
It works as it should, at least for me.
I only have one problem( ok 2 ... ) on my dc.
GID 300002 and GID 300003
One should be "NT AUTORITY\SYSTEM" this is my biggest problem.
Some GPO's are not working correclty due to mismatch in sid/rids with the
users SYSTEM. But i saw all the hard work the devs are doing im amazed by it so
i'll wait until thats fixed, i have my workaround..
For me its very simple, i never ever run sysvolreset.
And if i must run sysvolreset, yes it happend one or 2 times,
i have the steps to setup again like above, yes bit more work but it reflects
the windows defaults better imho.
And acl_xattr:ignore system acls = yes is my friend here..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org]
> Verzonden: dinsdag 21 maart 2017 17:27
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Problem sysvolreset
>
> On Tue, 21 Mar 2017 17:09:22 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
>
> > Hai,
> >
> >
> >
> > Here you go my output of the R2008R2. (64bit)
> >
> >
> >
> > 1) original GPO from the install ( the domain controller policy )
> >
> > Path :
> >
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6
> AC1786C-016F-11D2-945F-00C04fB984F9}
> >
> > Owner : BUILTIN\Administrators
> >
> > Group : NT AUTHORITY\SYSTEM
> >
>
> This is the same as what I found, the default policies get the above
> ownership.
>
> >
> > 2) and just now created GPO, didnt touch it at al.
> >
> > Path :
> >
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{E
> DC26216-625D-42D7-8443-9003D427DEF5}
> >
> > Owner : ROTTERDAM\Domain Admins
> >
> > Group : ROTTERDAM\Domain Admins
> >
> > Access : CREATOR OWNER Allow FullControl
> >
> > NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow
> > ReadAndExecute, Synchronize
> >
> > NT AUTHORITY\Authenticated Users Allow ReadAndExecute,
> > Synchronize
> >
> > NT AUTHORITY\SYSTEM Allow FullControl
> >
> > ROTTERDAM\Domain Admins Allow FullControl
> >
> > ROTTERDAM\Enterprise Admins Allow FullControl
> >
> > Audit :
> >
> > Sddl :
> >
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU
> )(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)
>
> Now do you believe me when I say Domain Admins shouldn't have a
> gidNumber ?
>
> Rowland
On Wed, 22 Mar 2017 08:09:31 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> No, > > I dont agree/believe you.. ... because of my setup.As long as you don't run sysvolreset, you won't have a problem, you also seem to be working around the fact that sysvolreset is totally (in my opinion) borked.> > On the a samba member. ( 4.5/4.6) > getent group "Domain Admins" > domain admins:x:10001:admin,administrator > I run more then a year like this.I use a group called 'Unix Admins' joined to 'Domain Admins' and give this group a gidNumber.> > I only have one problem( ok 2 ... ) on my dc. > GID 300002 and GID 300003 > One should be "NT AUTORITY\SYSTEM" this is my biggest problem. > Some GPO's are not working correclty due to mismatch in sid/rids with > the users SYSTEM. But i saw all the hard work the devs are doing im > amazed by it so i'll wait until thats fixed, i have my workaround.. > > For me its very simple, i never ever run sysvolreset. > And if i must run sysvolreset, yes it happend one or 2 times,At least you have found running sysvolreset isn't a good idea ;-) Rowland