Univention Bugzilla – Bug 33768
sync ntSecurityDescriptor of groupPolicyContainer objects
Last modified: 2015-07-20 09:16:43 CEST
For a proper sysvol synchronization, we need to sync the ntSecurityDescriptor (the acl's for the gpo) for gpo objects.
This is especially necessary for ucs@school environments, because here gpo objects are replicated to the domain dc's via s4connector|UCS ldap replication (not by drs replication).
Reported via 2014092421000347
Scheduled for end of November.
I've a UCS@school setup with S4 on master and two slaves. If I create a GPO and remove Authenticated Users from the GPO permissions and add another group, Authenticated Users is re-added. If I stop the s4 connector, Authenticated Users is not re-added. The problem is the attribute based sync.
As discussed, maybe we sync the ntSecurityDesciptor in @school setups only.
Ok, code and advisory have been updated. There is a new errata bug for UCS@schoool 4.0 to activate synchronization.
(In reply to Arvid Requate from comment #5)
> Ok, code and advisory have been updated. There is a new errata bug for
> UCS@schoool 4.0 to activate synchronization.
That's Bug #37350.
Code review: OK