Nadia, I will investigate this and follow-up.
Regards, Edgar From: Bryan Burgin Sent: Monday, October 07, 2013 11:25 AM To: Nadezhda Ivanova Cc: [email protected]; MSSolve Case Email Subject: [REG113100710843173]: Question about LDAP delete operation on Administrator and other built-in accounts [-dochelp; +casemail] Hi Nadezhda, Thank you for your question. We created SR 113100710843173 to track this issue. An engineer from the Protocols will contact you soon. Bryan From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Nadezhda Ivanova Sent: Monday, October 7, 2013 5:55 AM To: Interoperability Documentation Help Cc: [email protected]<mailto:[email protected]> Subject: Question about LDAP delete operation on Administrator and other built-in accounts Hi, At the I/O Lab we asked about the restrictions that apply on performing a delete operation on built-in accounts. To explain the correct behavior, Edgar kindly supplied the following references: " 3.1.1.5.5.1.1 Tombstone Requirements http://msdn.microsoft.com/en-us/library/cc223481.aspx A protected object may not be deleted and transformed into a tombstone (see Protected Objects (section <http://msdn.microsoft.com/en-us/library/cc223483.aspx> 3.1.1.5.5.3<http://msdn.microsoft.com/en-us/library/cc223483.aspx>)<http://msdn.microsoft.com/en-us/library/cc223483.aspx>). 3.1.1.5.5.3 Protected Objects http://msdn.microsoft.com/en-us/library/cc223483.aspx 3.1.1.6.1.2 Protected Objects http://msdn.microsoft.com/en-us/library/dd240058.aspx ... o well-known security principals: * of class user<http://msdn.microsoft.com/en-us/library/cc221822.aspx> with RID = DOMAIN_USER_RID_ADMIN " However, some testing revealed that the last reference which we hoped would explain why the Administrator should not be deleted, appears to not be relevant to the case. Delete operation on any built-in account or predefined domain rid returns LDAP error 80, and the group membership does not really affect the deletion of users or groups. So after some digging, I found this: http://msdn.microsoft.com/en-us/library/cc245803.aspx Namely: If the RID of U's objectSid attribute value is less than 1000, an error MUST be returned. Could you please confirm that this is indeed the only restriction relevant to the case? Best Regards, Nadezhda Ivanova
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
