On 11. 4. 2015 11:08, Achim Gratz wrote: > David Macek writes: >> Power Users don't have access to (almost) everything, like >> Administrators do. The Domain Administrators group is a member of >> Administrators, so unless I'm missing something, there's no reason to >> have them explicitely in the DACL. > > That doesn't stop folks from using them in DACL entries and membership > of one group in another (rightly) doesn't confer transitive access > rights. I've just named these two examples because I've seen them > before in ACL, I make no claim as to whether that's a sensible thing to > do or not.
https://technet.microsoft.com/en-us/library/cc776499(v=ws.10).aspx says otherwise about the group-in-group rights. I'm a bit confused. Maybe we're talking about different things -- of course it makes sense to give Domain Administrators more rights than Administrators, but I don't see any reason for blanket granting Domain Administrators explicit rights on everything on the filesystem. The way I see it, the point of the code change was to prevent the "implicit" Administrators and SYSTEM DACL entries from showing up in the computed POSIX access mask because they nicely match the implicit rights root accounts have on POSIX systems and because they're unhelpful and sometimes problematic. As neither Domain Administrators nor Power Users have this combination of properties (presence on most filesystem objects by default and SeTakeOwnershipPrivilege), I think it's useful to have them appear in the mask. Please correct me if I'm talking nonsense; I have little practical experience with domain environments. -- David Macek
smime.p7s
Description: S/MIME Cryptographic Signature
