[Samba] Samba 4.1 DC Account Operators permissions problem

James O'Neill joneill at une.edu.au
Fri Aug 1 20:12:44 MDT 2014

There appears to be a bug in the samba 4.1 DC builtin group Account Operators permisssions.

By definition, members of the Account Operators group can add, edit, and delete normal user accounts in the domain, except those for domain user accounts who are members of domain Account Operators, Administrators, Backup Operators, Print Operators Server Operators, and Domain Admins. This account is very useful for delegating some authority to selected users so that they can create and manage user accounts without having access to the administration groups.

In our samba 4.1 domain, a freshly created domain user account that has membership only to Domain Users and Account Operators groups actually then has full permissions to modify (and add to) the Administrators and Domain Admins groups. This is not expected behavior!

I have verified this behavior on our working domain with samba 4.1.10 DCs.  Also I set up a simple test domain with a samba 4.1.6 DC and it also displays the incorrect behavior above.

Can anyone suggest a fix for this problem?


Jim O'Neill
IT Manager
School of Environmental and Rural Science
Faculty of Arts and Sciences
University of New England
Armidale NSW 2351 Australia
Email:joneill at une.edu.au
Phone: 02-6773-2667
Mob: 0409-200-340
Fax: 02 6773 2769

More information about the samba mailing list