[Samba] using Windows AD unwanted Group rights get applied to new Files

miguel medalha medalist at sapo.pt
Fri Aug 10 12:20:15 UTC 2018

> > > By default, every AD user is a member of 'Domain Users' and so, 
> > > when you use the 'rid' backend every Unix user gets the group as
> > > their primary group.
> > 
> > > The only way to change this is by using a version of Samba >= 4.6.0
> > > and use the 'ad' backend  (...)
> > 
> > You can also use RSAT and define some other group as the user's
> > primary group, and still use 'rid' backend. If I remember well, the
> > setting resides in the "Member of" tab of Active Directory Users and
> > Computers (ADUC).

> Wrong, that just adds another attribute ('msSFU30PosixMember' I
> think) and this is ignored.

> Yes, there is another way, add user to a group, change users
> primaryGroupID attribute to contain the RID of the new group and your
> users group on Unix will be the new group. Unfortunately there is a big
> problem with doing this, it breaks Windows, as it relies on all users
> being a member of Domain Users and that group not actually having any
> members ;-)

Are you sure about that? I am using the RID backend and I just tested this:

I logged on to Windows 7 as a regular user having a particular group set as "Primary group" and I created a new file and a new folder inside a share. Looking at it on the security tab, I can see that the "Domain Users" group is not in the list of permissions. I logged out.

As Administrator, using ADUC, in the "Member of" tab I changed the primary group of the same user to the "Domain users" default.

I logged on again as the same regular user and I created a new file and a new folder inside the same share. Looking at the "Security" tab, I see that the "Domain users" group is now there, with advanced permissions of "Full Control, This object only" and "Full Control, This folder only".

Resetting the user's primary group to its original group restores the intended behavior, the "Domain Users" is no longer present in newly created files or folders.

This is a Samba Active Directory serving a network of mainly Windows 7 machines. The Samba version is 4.8.3. As I said before, the RID backend is in use.

More information about the samba mailing list