Question about owner and group defaulting rules in MS-ADTS

Good morning! I have created case SRX090804600022 to track our work for your request. One of my team colleagues will take ownership of the case and contact you shortly.

Hi,

In MS-ADTS, section 7.1.3.6, is written the following:

The GROUP field is defaulted as follows:

§ If the DAG was used as the default OWNER field value, then the same SID is written into the GROUP field.

However, it appears that the creating user’s primary group is ALWAYS used as the default group, regardless of partition or owner.

Example:

We create an object in the domain partition, say an OU, without providing an nTSecurityDescriptor. The creating user is a member of Domain Admins, with primary group Domain Users, so the DAG is Domain admins as per the DAG rules in the same document. Domain Admins is used as the OWNER in the new object’s security descriptor. According to the above statement, Domain Admins should also be set as the default group. However, in a Windows 2003 server, Domain Users is defaulted as the group in the new object’s descriptor. If the user’s primary group is changed to Domain Admins, then the group of the new object is defaulted to Domain Admins.

The above behavior is consistent with CreateSecurityDescriptor algorithm from MS-DTYP, where the primary group of the security token is assigned if a group is not provided.

Could you please clarify the contradiction between MS-ADTS, MS-DTYP and actual behavior?

Regards,

Nadezhda Ivanova

Hi Nadezhda:

I have assumed the ownership of this issue. I’ll keep you updated on the progress as appropriate.

If you have any further question/clarification on this issue, please feel free to contact me.

Regards,

Obaid Farooqi

Sr. Support Escalation Engineer | Microsoft

Good morning! I have created case SRX090804600022 to track our work for your request. One of my team colleagues will take ownership of the case and contact you shortly.

Hi,

In MS-ADTS, section 7.1.3.6, is written the following:

The GROUP field is defaulted as follows:

§ If the DAG was used as the default OWNER field value, then the same SID is written into the GROUP field.

However, it appears that the creating user’s primary group is ALWAYS used as the default group, regardless of partition or owner.

Example:

We create an object in the domain partition, say an OU, without providing an nTSecurityDescriptor. The creating user is a member of Domain Admins, with primary group Domain Users, so the DAG is Domain admins as per the DAG rules in the same document. Domain Admins is used as the OWNER in the new object’s security descriptor. According to the above statement, Domain Admins should also be set as the default group. However, in a Windows 2003 server, Domain Users is defaulted as the group in the new object’s descriptor. If the user’s primary group is changed to Domain Admins, then the group of the new object is defaulted to Domain Admins.

The above behavior is consistent with CreateSecurityDescriptor algorithm from MS-DTYP, where the primary group of the security token is assigned if a group is not provided.

Could you please clarify the contradiction between MS-ADTS, MS-DTYP and actual behavior?

Regards,

Nadezhda Ivanova

Hi Nadezhda:

I have just sent you the answer for the security descriptor algorithm question. The work on “owner and group rules in MS-ADTS” is in progress and I’ll be in touch as soon as I have an answer.

Thanks for your patience.

Regards,

Obaid Farooqi

Sr. Support Escalation Engineer | Microsoft

Hi Obaid,

Is there any progress on this issue, or my other enquiry about the security descriptor creation algorithms? It’s been a while now and we need this information to be able to include the security implementation in the next alpha of Samba 4.

Best Regards,

Nadezhda Ivanova

Hi Nadezhda:

We have finished our investigation on “Owner and Group Defaulting Rules”. In a future version of MS-ADTS, section 7.1.3.6 and 7.1.3 will be modified. Please find the PDF version of modifications attached to this email.

Please let me know if this answers your question. If yes, I’ll consider this issue resolved.

Regards,

Obaid Farooqi

Sr. Support Escalation Engineer | Microsoft

Hi,

In MS-ADTS, section 7.1.3.6, is written the following:

The GROUP field is defaulted as follows:

§ If the DAG was used as the default OWNER field value, then the same SID is written into the GROUP field.

However, it appears that the creating user’s primary group is ALWAYS used as the default group, regardless of partition or owner.

Example:

We create an object in the domain partition, say an OU, without providing an nTSecurityDescriptor. The creating user is a member of Domain Admins, with primary group Domain Users, so the DAG is Domain admins as per the DAG rules in the same document. Domain Admins is used as the OWNER in the new object’s security descriptor. According to the above statement, Domain Admins should also be set as the default group. However, in a Windows 2003 server, Domain Users is defaulted as the group in the new object’s descriptor. If the user’s primary group is changed to Domain Admins, then the group of the new object is defaulted to Domain Admins.

The above behavior is consistent with CreateSecurityDescriptor algorithm from MS-DTYP, where the primary group of the security token is assigned if a group is not provided.

Could you please clarify the contradiction between MS-ADTS, MS-DTYP and actual behavior?

Regards,

Nadezhda Ivanova