[Samba] roaming profile does not work for "Domain Admins"

[?icro MEGAS]

Hello list,

I am facing an issue which I cannot explain myself. The roaming profiles don't work for users that are members of the group "Domain Admins". The [profiles] share on the member server was configured exactly as explained on the wiki for roaming profiles. It works like a charm for all domain users, *BUT*: if a user is member of the group "Domain Admins" it *doesn't* :-( That means in detail:

I create a new user "test1" and assign the correct profile directory to that user (\\membersrv\profiles\test1). I add this user also to the "MYDOM\Domain Admins" group. On the windows client I login for the first time with "test1" user and I watch the content of the linux filesystem on my member server. As soon as "test1" is logged in on the client, a directory membersrv:/srv/samba/profiles/test1 is created with the appropriate mode and owner+group. Until here everything is fine, but as soon as user "test1" logs off, *NO DATA IS WRITTEN* into its roaming profile directory.

When I remove that user "test1" from the group "Domain Admins", so in result "test1" is not a member of "Domain Admins" anymore, the roaming profile works like a charm as one would expect. When the user logs off, data is written correctly to its roaming profile.

I don't suspect security issues on Windows or POSIX ACLs, because the user "test1" can create directory "something" on \\membersrv\profiles and inside \\membersrv\profiles\something he is allowed to create subdirs or files. I don't think that's the problem. I ensured that by putting "EVERYONE" to sharing and security settings for the [profiles] share, but it didn't help either.

I cannot explain myself where this is related to. I'm stuck here for many hours and have no clue where else to look at. Any help really appreciated.

Mirco