[Samba] Windows ACL clarification for Roaming Profiles share
mmuehlfeld at samba.org
Sat Feb 18 00:14:57 UTC 2017
Am 17.02.2017 um 09:26 schrieb L.P.H. van Belle via samba:
>> What uses the SYSTEM principal on the Sysvol share?
> Every computer or user the has a GPO set.
You may be right that "computer" GPOs are applied locally using the
SYSTEM account. However, this is _local_ and the computer does not
access the Sysvol share using the SYSTEM account. To download the
computer GPOs, the machine account is used to connect to the share.
Per-user GPOs are downloaded using the user's permissions and applied to
the user's files and registry (HKCU).
However, I gave it a try, to see if my knowledge is meanwhile outdated:
- I removed the SYSTEM account from the Sysvol share including from all
- I created two GPOs in the "Default domain policy":
- I set a different background for the logon screen (computer)
- I removed the "change password" entry from the
CTRL+ALT+DEL menu (user)
- I mapped the Sysvol share using GPO preferences (user)
- I rebooted my Win10 client.
After the reboot, the background was changed and after I logged in, the
entry was hidden in the menu and the share connected. The Sysvol share
works without SYSTEM account in the ACLs locally on the share.
Give it a try if you don't believe me. :-)
> Do read:
> And see here, Security options :
> Computer Configuration , by default the task is run in the security context of the SYSTEM account.
This is about tasks that run locally. And locally on a Windows machine
is where the SYSTEM account is usually used. If the local SYSTEM Account
tries to access a network resource, it uses the machine account to
That's why it is not necessary to add SYSTEM to the file system ACLs on
a Samba share: SYSTEM is just an account that exists _locally_ and is
not used when connecting to network resources.
If you have anything (a service, a task job, etc.) running on your
_local_ computer that uses the SYSTEM account, then SYSTEM must be of
course added to the local file system ACLs if this task, etc. should be
able to access _local_ files.
Here's a nice explanation of the SYSTEM account:
More information about the samba