diff --git a/source/smbd/open.c b/source/smbd/open.c
index 9b51ff0..2ae56b6 100644
--- a/source/smbd/open.c
+++ b/source/smbd/open.c
@@ -59,6 +59,12 @@ static NTSTATUS check_open_rights(struct connection_struct *conn,
 
 	*access_granted = 0;
 
+	if (conn->server_info->utok.uid == 0 || conn->admin_user) {
+		/* I'm sorry sir, I didn't know you were root... */
+		*access_granted = access_mask;
+		return NT_STATUS_OK;
+	}
+
 	status = SMB_VFS_GET_NT_ACL(conn, fname,
 			(OWNER_SECURITY_INFORMATION |
 			GROUP_SECURITY_INFORMATION |
@@ -2382,6 +2388,14 @@ NTSTATUS open_directory(connection_struct *conn,
 		return status;
 	}
 
+	/* We need to support SeSecurityPrivilege for this. */
+	if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+		DEBUG(10, ("open_directory: open on %s "
+			"failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n",
+			fname));
+		return NT_STATUS_PRIVILEGE_NOT_HELD;
+	}
+
 	switch( create_disposition ) {
 		case FILE_OPEN:
 
@@ -2915,8 +2929,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
 		status = NT_STATUS_PRIVILEGE_NOT_HELD;
 		goto fail;
 	}
+#else
+	/* We need to support SeSecurityPrivilege for this. */
+	if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+		status = NT_STATUS_PRIVILEGE_NOT_HELD;
+		goto fail;
+	}
+	/* Don't allow a SACL set from an NTtrans create until we
+	 * support SeSecurityPrivilege. */
+	if (!VALID_STAT(sbuf) &&
+			lp_nt_acl_support(SNUM(conn)) &&
+			sd && (sd->sacl != NULL)) {
+		status = NT_STATUS_PRIVILEGE_NOT_HELD;
+		goto fail;
+	}
 #endif
 
+
 	if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
 	    && is_ntfs_stream_name(fname)
 	    && (!(create_options & NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {