Hi Hongwei,
For the moment it's quite clear why we fail as we do not set any ACL by
default on the sysvol volume.
I will already fix this + the sDRightsEffective attribute and I'll see
if it do the job.
I will try to use also the same SSDL as in w2k3 to see if I have the
same resulting
Matthieu,
For Problem #1, only the SE_DACL_PROTECTED(0x1000) has to be set for
ControlFlag in Security Descriptor in order to pass the step 2 in consistency
testing. This is translated to P flag in SDDL. With this said, it is
normal to have D:PAI since this will indicate that the
