s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... ...

[kai/samba.git] / source4 / scripting / python / samba / provision / descriptor.py

diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py
index 2a98168a5eb65d2885a6e5fcd6cffc2b7dda32a8..adf75797ccf466afc0f4b99f8d45bcc6b5d472b1 100644 (file)
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -237,6 +237,18 @@ def get_domain_users_descriptor(domain_sid):
     sec = security.descriptor.from_sddl(sddl, domain_sid)
     return ndr_pack(sec)
 
+def get_domain_controllers_descriptor(domain_sid):
+    sddl = "D:" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;RPLCLORC;;;ED)" \
+    "S:" \
+    "(AU;SA;CCDCWOWDSDDT;;;WD)" \
+    "(AU;CISA;WP;;;WD)"
+    sec = security.descriptor.from_sddl(sddl, domain_sid)
+    return ndr_pack(sec)
+
 def get_dns_partition_descriptor(domainsid):
     sddl = "O:SYG:BAD:AI" \
     "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \