>> Definitely that is where your login scripts and so forth are or the >> general >> place that you are suppose to put them. I've got to go do some work >> over >> at >> a place I have a Samba4 PDC setup tomorrow. >> >> Did you mess with the permissions or don't recall? Was it like that >> when >> you installed? >> >> I wouldn't allow Everyone to have access. Go the Authenticated Users >> route >> or maybe Domain Users with read/execute permissions. I'll check all the >> different users on it tomorrow for ya and drop back a line to this >> thread >> though. There might be a phantom User that only Samba knows about that >> is >> listed there that might be specific to your install. >> >> It would be nice if someone chimed in here, have been wondering about >> that... ;) >> >> Chris >> > Hi Chris: > It's a recent test installation using Samba4 alpha 17 tar. I have done > nothing with the permissions. I haven't even touched smb.conf. > I was browsing the content of sysvol in my Samba4 server with a domain > user I created and then I tried deleting a file and I could do it, tried > with the whole content of sysvol and I could delete all. Then I > reinstalled samba and tried again with a new domain user, and could do it > again. > > The permission on a Windows 2003 server are as shown below and you're > right only authenticated users should have read and execute permissions. > But I tried with a windows client in a virtual pc against a real windows > 2003 server and surprisingly I could list the content of sysvol in spite > of this virtual pc not being a member of the windows 2003 server domain. > That's why I suggested that may be it would be ok to allow everyone read > and execute permissions. > My mistake. Unauthenticated users have no access to sysvol in windows 2003 server. Sorry!!!
> > >> On Wed, Sep 28, 2011 at 1:55 PM, <[email protected]> wrote: >> >>> > On 28/09/2011 04:59, [email protected] wrote: >>> >>>> On 27/09/2011 13:07, [email protected] wrote: >>> >>>>> Hello. >>> >>>>> I noticed that any domain user can delete the content of the >>> shared >>> >>>>> folder >>> >>>>> sysvol in the domain controller from a windows client. >>> >>>>> >>> >>>>> How can I avoid that? >>> >>>>> >>> >>>>> Greetings, >>> >>>>> Felix >>> >>>>> >>> >>>> What's the default windows behavior with this ? >>> >>>> >>> >>>> Matthieu. >>> >>>> >>> >>> Windows users Windows permissions >>> >>> ------------------------------------------------- >>> >>> Domain Admins-----------> Full Access >>> >>> Authenticated Users------> Read& Execute, List folder contents, >>> Read >>> >>> CREATOR OWNER-----------> Special permissions (Maybe we don't need >>> >>> this) >>> >>> Server Operators--------> Read& Execute, List folder contents, >>> Read >>> >>> SYSTEM------------------> Full Access >>> >>> >>> >> I think that what it is needed here is: >>> >> Domain Admins-------------> Full Access >>> >> and everybody else--------> Read& Execute, List folder contents, >>> Read >>> >> >>> >> I think that GPOs and some scripts are delivered to windows clients >>> >> through sysvol, that's why I don't want any of my users to be able >>> to >>> >> delete the sysvol content. >>> >> >>> >> What should I do to accomplish that goal? >>> > In theory we should have the ACLs ok, I have to check this things but >>> it >>> > won't be before next week I'm at IOLAB with microsoft this week >>> focusing >>> > on FRS replication. >>> > >>> > >>> > Sorry. >>> > >>> > Matthieu. >>> > >>> I understand. I'll be waiting for an answer. >>> Thanks. >>> >>> Felix. >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
