When adding or removing users from groups in the NT USRMGR as a Domain Admin user that isn't root, Samba doesn't call into the LDAP code as root, causing the operation to fail. This patch adds become_root()/unbecome_root() around three other calls to pdb_getsampwsid() in srv_samr_nt.c to fix this problem. Matt.