Web lists-archives.com

Re: [Samba] Windows ACL clarification for Roaming Profiles share

Hi Louis,

Am 17.02.2017 um 09:26 schrieb L.P.H. van Belle via samba:
What uses the SYSTEM principal on the Sysvol share?
Every computer or user the has a GPO set.

You may be right that "computer" GPOs are applied locally using the SYSTEM account. However, this is _local_ and the computer does not access the Sysvol share using the SYSTEM account. To download the computer GPOs, the machine account is used to connect to the share. Per-user GPOs are downloaded using the user's permissions and applied to the user's files and registry (HKCU).

However, I gave it a try, to see if my knowledge is meanwhile outdated:
- I removed the SYSTEM account from the Sysvol share including from all subfolders.
- I created two GPOs in the "Default domain policy":
  - I set a different background for the logon screen (computer)
  - I removed the "change password" entry from the
    CTRL+ALT+DEL menu (user)
  - I mapped the Sysvol share using GPO preferences (user)
- I rebooted my Win10 client.

After the reboot, the background was changed and after I logged in, the entry was hidden in the menu and the share connected. The Sysvol share works without SYSTEM account in the ACLs locally on the share.

Give it a try if you don't believe me. :-)

Do read:
And see here, Security options :
Computer Configuration , by default the task is run in the security context of the SYSTEM account.

This is about tasks that run locally. And locally on a Windows machine is where the SYSTEM account is usually used. If the local SYSTEM Account tries to access a network resource, it uses the machine account to authenticate.

That's why it is not necessary to add SYSTEM to the file system ACLs on a Samba share: SYSTEM is just an account that exists _locally_ and is not used when connecting to network resources.

If you have anything (a service, a task job, etc.) running on your _local_ computer that uses the SYSTEM account, then SYSTEM must be of course added to the local file system ACLs if this task, etc. should be able to access _local_ files.

Here's a nice explanation of the SYSTEM account:

See also:


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba