[Samba] Windows ACL clarification for Roaming Profiles share

Marc Muehlfeld mmuehlfeld at samba.org
Sat Feb 18 00:14:57 UTC 2017

Hi Louis,

Am 17.02.2017 um 09:26 schrieb L.P.H. van Belle via samba:
>> What uses the SYSTEM principal on the Sysvol share?
> Every computer or user the has a GPO set.

You may be right that "computer" GPOs are applied locally using the 
SYSTEM account. However, this is _local_ and the computer does not 
access the Sysvol share using the SYSTEM account. To download the 
computer GPOs, the machine account is used to connect to the share. 
Per-user GPOs are downloaded using the user's permissions and applied to 
the user's files and registry (HKCU).

However, I gave it a try, to see if my knowledge is meanwhile outdated:
- I removed the SYSTEM account from the Sysvol share including from all 
- I created two GPOs in the "Default domain policy":
   - I set a different background for the logon screen (computer)
   - I removed the "change password" entry from the
     CTRL+ALT+DEL menu (user)
   - I mapped the Sysvol share using GPO preferences (user)
- I rebooted my Win10 client.

After the reboot, the background was changed and after I logged in, the 
entry was hidden in the menu and the share connected. The Sysvol share 
works without SYSTEM account in the ACLs locally on the share.

Give it a try if you don't believe me. :-)

> Do read:
> https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
> And see here, Security options :
> Computer Configuration , by default the task is run in the security context of the SYSTEM account.

This is about tasks that run locally. And locally on a Windows machine 
is where the SYSTEM account is usually used. If the local SYSTEM Account 
tries to access a network resource, it uses the machine account to 

That's why it is not necessary to add SYSTEM to the file system ACLs on 
a Samba share: SYSTEM is just an account that exists _locally_ and is 
not used when connecting to network resources.

If you have anything (a service, a task job, etc.) running on your 
_local_ computer that uses the SYSTEM account, then SYSTEM must be of 
course added to the local file system ACLs if this task, etc. should be 
able to access _local_ files.

Here's a nice explanation of the SYSTEM account:

See also:


More information about the samba mailing list