[Samba] using Windows AD unwanted Group rights get applied to new Files

Fri Aug 10 13:32:01 UTC 2018

> > I logged on to Windows 7 as a regular user 

> What do you mean by 'regular user' ?

I used the expression 'regular user' because I wanted to make it clear that this user does not have any administrative rights whatsoever.

> >having a particular group
> > set as "Primary group" 

> How are setting the 'primary group' ?

The 'primary group' had been set a long time ago, when the system was created. It had been set with ADUC, under the "Member of" tab, as told before.

> By default all AD users (aka windows users) are members of the 'Domain
> Users' group even though they do not appear in the 'Domain Users' AD
> object.

Yes, of course. That's not the point.

> > and I created a new file and a new folder
> > inside a share. Looking at it on the security tab, I can see that the
> > "Domain Users" group is not in the list of permissions. I logged out.

> Have you done something strange like changing the contents of the users
'primaryGroupID' attribute ?
> > 
> > As Administrator, using ADUC, in the "Member of" tab I changed the
> > primary group of the same user to the "Domain users" default.

> Yep, it sounds like you have.

> 
> > I logged on again as the same regular user and I created a new file
> > and a new folder inside the same share. Looking at the "Security"
> > tab, I see that the "Domain users" group is now there, with advanced
> > permissions of "Full Control, This object only" and "Full Control,
> > This folder only".
> > 
> > Resetting the user's primary group to its original group restores the
> > intended behavior, the "Domain Users" is no longer present in newly
> > created files or folders.

> No, this is not the intended behaviour, it might be your intended
> behavior, but it isn't Windows.

It is also the behavior intended by the OP. Shouldn't a folder inherit the permissions of its parent when inheritance is on? If so, why does the group "Domain users" appear there with "Full control" permissions when it is not present in the parent folder?

> All the 'rid' backend does is calculate the user & group ID's from
> their 'RID'. 

Yes, I know, but one of your previous posts seems to imply that the behavior the OP wants is not possible unless you use the AD backend or a convoluted workaround. You also stated that changing the "primary group" would be ignored, which isn't. I thought it would be helpful to actually test it... I found the problem the OP complained about somewhat strange because I had never met it, and I had never met it because all my users had their primary group set to the intended group from the beginning, some years ago.