[Samba] What's the use of SeDiskOperatorPrivilege?

Andrew Walker walker.aj325 at gmail.com
Wed Jan 27 17:56:40 UTC 2021

On Wed, Jan 27, 2021 at 12:01 PM Matthias Leopold via samba <
samba at lists.samba.org> wrote:

> Hi,
> I seem to be going in circles when trying to understand "administrative
> access" to a share on a domain member fileserver:
> What is the use of granting SeDiskOperatorPrivilege to certain groups on
> a fileserver so they can manage share permissions when the recommended
> and default setting for share permissions is "Full control" for
> "Everyone" anyway? This setting is also _needed_ for the Domain
> Administrator to _effectively_ get access to the share when using "!root
> = SAMDOM\Administrator" in "username map".
> I'm referring to
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs
> Please enlighten me.
> thx
> Matthias
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Privileges define what a user/group can do regardless of the ACL on a file.
For example, a user with SeTakeOwnershipPrivilege can take ownership of a
file regardless of the permissions on it.  This is obviously a privilege
that must be handed out carefully (as with all of them). Being able to
define what users and groups can and cannot do independently of file ACL is
particularly important for rpc connections (like when you're using
"Computer Management" tool on a Windows client).

The BUILTIN\administrators group also always has this privilege (and other
admin-related ones), and so as long as the account is a member of "domain
admins", there is no need to explicitly grant this privilege.

More information about the samba mailing list