Today I have had to deal with an environment where I had to fix a lot of sysvol permissions, with a lot of different policies with different permissions.

I had begun doing it by hand using samba-tool ntacl set sddl-ACL patg, but I soon realized this was a nightmare . Thus I invested some time in creating a small script on python that at least did part of this for me:

import os
import sys
arg = sys.argv[1]
command = "samba-tool ntacl set "
wp = os.getcwd()
for dirname, dirnames, filenames in os.walk(wp):
 os.system(command + "\"" + arg + "\" " + "\"" + dirname + "\"")
 files = [f for f in os.listdir(dirname) if os.path.isfile(os.path.join(dirname,f))]
    for f in files:
 os.system(command + "\"" + arg + "\" " + "\"" + dirname + "/" + f + "\"")

With this at least I had to do it once per policy. Once done, I just created a bash script that got the path and the sddl from samba-tool ntacl sysvolcheck (and run the script above until this command were ok:

#!/bin/bash
until samba-tool ntacl sysvolcheck 2>/dev/null
do

DIR=$(samba-tool ntacl sysvolcheck 2>&1 | grep ERROR | cut -d" " -f12)
PERM=$(samba-tool ntacl sysvolcheck 2>&1 | grep ERROR | cut -d" " -f19)


cd "$DIR"

python script.py $PERM
done

Hope this is useful if you were looking for this.

P.S. You can find the code in my github under GPLv2 as ever