Web lists-archives.com

Re: [Samba] Windows ACL clarification for Roaming Profiles share




Hi Louis,

Am 17.02.2017 um 09:26 schrieb L.P.H. van Belle via samba:
What uses the SYSTEM principal on the Sysvol share?
>
Every computer or user the has a GPO set.

You may be right that "computer" GPOs are applied locally using the SYSTEM account. However, this is _local_ and the computer does not access the Sysvol share using the SYSTEM account. To download the computer GPOs, the machine account is used to connect to the share. Per-user GPOs are downloaded using the user's permissions and applied to the user's files and registry (HKCU).


However, I gave it a try, to see if my knowledge is meanwhile outdated:
- I removed the SYSTEM account from the Sysvol share including from all subfolders.
- I created two GPOs in the "Default domain policy":
  - I set a different background for the logon screen (computer)
  - I removed the "change password" entry from the
    CTRL+ALT+DEL menu (user)
  - I mapped the Sysvol share using GPO preferences (user)
- I rebooted my Win10 client.

After the reboot, the background was changed and after I logged in, the entry was hidden in the menu and the share connected. The Sysvol share works without SYSTEM account in the ACLs locally on the share.

Give it a try if you don't believe me. :-)



Do read:
https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
And see here, Security options :
Computer Configuration , by default the task is run in the security context of the SYSTEM account.

This is about tasks that run locally. And locally on a Windows machine is where the SYSTEM account is usually used. If the local SYSTEM Account tries to access a network resource, it uses the machine account to authenticate.

That's why it is not necessary to add SYSTEM to the file system ACLs on a Samba share: SYSTEM is just an account that exists _locally_ and is not used when connecting to network resources.

If you have anything (a service, a task job, etc.) running on your _local_ computer that uses the SYSTEM account, then SYSTEM must be of course added to the local file system ACLs if this task, etc. should be able to access _local_ files.


Here's a nice explanation of the SYSTEM account:
https://abhijitw.wordpress.com/2012/03/03/the-local-system-account/

See also:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190%28v=vs.85%29.aspx
https://support.microsoft.com/en-us/help/120929/how-the-system-account-is-used-in-windows


Regards,
Marc


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba