[Samba] using Windows AD unwanted Group rights get applied to new Files

Rowland Penny rpenny at samba.org
Wed Aug 8 07:17:26 UTC 2018

On Tue, 07 Aug 2018 22:43:23 +0100
Miguel Medalha via samba <samba at lists.samba.org> wrote:

> > By default, every AD user is a member of 'Domain Users' and so, 
> > when you use the 'rid' backend every Unix user gets the group as
> > their primary group.
> > The only way to change this is by using a version of Samba >= 4.6.0
> > and use the 'ad' backendĀ  (...)
> You can also use RSAT and define some other group as the user's
> primary group, and still use 'rid' backend. If I remember well, the
> setting resides in the "Member of" tab of Active Directory Users and
> Computers (ADUC).

Wrong, that just adds another attribute ('msSFU30PosixMember' I
think) and this is ignored.

Yes, there is another way, add user to a group, change users
primaryGroupID attribute to contain the RID of the new group and your
users group on Unix will be the new group. Unfortunately there is a big
problem with doing this, it breaks Windows, as it relies on all users
being a member of Domain Users and that group not actually having any
members ;-)


More information about the samba mailing list