All,
When editing a security descriptor within SCM and exporting it to a GPO backup I've noticed that the semicolons are surrounded by quotes, breaking the import function. Example:
Take the ws2012 Member server Security compliance template and create a editable copy. In the copied template edit the policy "DCOM: Machine Access restrictions in Security Definition Language (SDDL) syntax". add the following:
O:BAG:BAD:(A;;CCDCLC;;;WD)
Now, export the policy using the GPO Backup (folder).
Browse to the GptTmpl.inf file within the exported policy (<ID>\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit) and do a search for the DCOM option. You will see that the export function added quotes around the semicolons:
"O:BAG:BAD:(A";"";"CCDCLC";"";"";"WD)"
This will break the the import function.
Just give it a try and use the above info the do an import using the localGPO tool. The security descriptor will be broken (Use the "Local Security Policy" tool to verify).
Question. Is this a know bug? Anything we can do about it?