[Samba] Setting permissions on AD member file server

Gregory Sloop gregs at sloop.net
Fri Mar 11 16:02:55 UTC 2022

> On Fri, 2022-03-11 at 07:31 -0800, Gregory Sloop via samba wrote:

>> I'm feeling really stupid this AM - lets use small words to make sure
>> I understand this properly - I need to add the users that need to
>> edit permissions to the BUILTIN/Administrators group, because "Domain
>> Admins" won't cut it. Right?

> Wrong , that is how it is supposed to work.\
Wrong, meaning, that Domain Admins *should* be able to change permissions, and now it's "wrong" and doesn't work that way?
Or "Wrong" Domain admins shouldn't be able to change permissions?
(I'm pretty sure it's the first [especially with what you say in the following para], but your reply is very ambiguous.)

>> Is that normal? ...I.E. It's been a while and I don't have a native
>> Windows setup to tinker on handy, but IIRC, each admin group is a
>> super-set of the previous. So Domain Admins has all the rights/privs
>> of Admins, plus some. And Enterprise Admins is a superset of Domain
>> Admins. So, this seems like odd Samba behavior.

> It isn't normal and to the best of my recollection, it used to work
> like that, you logged into Windows as a member of Domain Admins and you
> could change the permissions on a share. I can only do this now if I
> log in as Administrator, with a user.map set in smb.conf and 'min
> domain uid = 0' also set. 
Is the actual administrator *user account* the only one you can do this with, or does the BUILTIN\Administrators group equivalence/membership also work?

> I think you could have found a bug :-/

> Rowland

More information about the samba mailing list