Hi, In MS-ADTS, section 7.1.3.6, is written the following: The GROUP field is defaulted as follows: ยง If the DAG was used as the default OWNER field value, then the same SID is written into the GROUP field.
However, it appears that the creating user's primary group is ALWAYS used as
the default group, regardless of partition or owner.
Example:
We create an object in the domain partition, say an OU, without providing an
nTSecurityDescriptor. The creating user is a member of Domain Admins, with
primary group Domain Users, so the DAG is Domain admins as per the DAG rules in
the same document. Domain Admins is used as the OWNER in the new object's
security descriptor. According to the above statement, Domain Admins should
also be set as the default group. However, in a Windows 2003 server, Domain
Users is defaulted as the group in the new object's descriptor. If the user's
primary group is changed to Domain Admins, then the group of the new object is
defaulted to Domain Admins.
The above behavior is consistent with CreateSecurityDescriptor algorithm from
MS-DTYP, where the primary group of the security token is assigned if a group
is not provided.
Could you please clarify the contradiction between MS-ADTS, MS-DTYP and actual
behavior?
Regards,
Nadezhda Ivanova
Nadezhda Ivanova
Software EngineerSoftware Development
[email protected] CISCO SYSTEMS BULGARIA EOOD
18 Macedonia Blvd. Sofia 1606
Bulgaria
Think before you print.
<<image001.gif>>
<<image002.gif>>
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
