[Samba] Windows ACL clarification for Roaming Profiles share

Rowland Penny rpenny at samba.org
Fri Feb 17 09:28:31 UTC 2017

On Fri, 17 Feb 2017 07:58:58 +0100
Marc Muehlfeld <mmuehlfeld at samba.org> wrote:

> Am 16.02.2017 um 17:27 schrieb Rowland Penny via samba:
> > However, SYSTEM is used in sysvol and Windows expects it.
> Clients, who are accessing the share, do not require it to be set on
> the local filesystem the share uses on the server, because SYSTEM is
> a local principal on each host (in this case, the DC that hosts the
> sysvol share).
> The sysvol share works also if you remove the SYSTEM principal. The
> principal is used, as everywhere else, to enable e. g. local services
> that use the SYSTEM account, to access the content on the local file
> system. That's why it is usually added to file system ACLs everywhere
> on Windows, but it's nothing Windows expects nor requires.
> For this reason, if you remove SYSTEM from the Sysvol's file system
> ACLs, the share works completely the same. Regardless if you do this
> on a Windows or on a Samba DC.

So, I give you a link to a Microsoft page that shows what accounts are
required for the profiles share and you choose to ignore it ????


More information about the samba mailing list