When applying an SD to a new filesystem object, Windows sets the owner of the new object to builtin-admins if the user is member of builtin-admins (similar for a system token). On a Windows server this works regardless of whether the parent dir has inheritable ACEs or not: $ ./bin/smbcacls -U Administrator%Passw0rd --numeric //10.10.10.14/data "dir" REVISION:1 CONTROL:0x9404 OWNER:S-1-5-21-124412504-3197034837-3775081848-500 GROUP:S-1-5-21-124412504-3197034837-3775081848-513 ACL:S-1-5-21-124412504-3197034837-3775081848-500:0/0x0/0x001f01ff $ ./bin/smbcacls -U Administrator%Passw0rd --numeric //10.10.10.14/data "dir/bitmap2.bmp" REVISION:1 CONTROL:0x8404 OWNER:S-1-5-32-544 GROUP:S-1-5-21-124412504-3197034837-3775081848-513 ACL:S-1-5-32-544:0/0x0/0x001f01ff ACL:S-1-5-18:0/0x0/0x001f01ff ACL:S-1-5-5-0-144291:0/0x0/0x001200a9 $ ./bin/smbcacls -U Administrator%Passw0rd --numeric //10.10.10.14/data "" REVISION:1 CONTROL:0x9404 OWNER:S-1-5-21-124412504-3197034837-3775081848-500 GROUP:S-1-5-21-124412504-3197034837-3775081848-513 ACL:S-1-5-21-124412504-3197034837-3775081848-500:0/0x3/0x001f01ff [slow@kazak scratch]$ ./bin/smbcacls -U Administrator%Passw0rd --numeric //10.10.10.14/data "bitmap2.bmp" REVISION:1 CONTROL:0x8404 OWNER:S-1-5-32-544 GROUP:S-1-5-21-124412504-3197034837-3775081848-513 ACL:S-1-5-21-124412504-3197034837-3775081848-500:0/0x10/0x001f01ff On a Samba server the logic that implements the owner munging in inherit_new_acl() is only triggered if the parent ACL has inherited ACEs: $ ./bin/smbcacls -U Administrator%locDCpass1 --numeric //127.0.0.30/tmp "dir" REVISION:1 CONTROL:0x8004 OWNER:S-1-5-32-544 GROUP:S-1-5-21-182694069-1167759452-2038352965-513 ACL:S-1-5-21-182694069-1167759452-2038352965-500:0/0x0/0x001f01ff [slow@kazak scratch]$ ./bin/smbclient -U Administrator%locDCpass1 //127.0.0.30/tmp -c "put README dir/README" Domain=[ADDOMAIN] OS=[Windows 6.1] Server=[Samba 4.6.0pre1-DEVELOPERBUILD] putting file README as \dir/README (2883.7 kb/s) (average 2883.8 kb/s) $ ./bin/smbcacls -U Administrator%locDCpass1 --numeric //127.0.0.30/tmp "dir/README" REVISION:1 CONTROL:0x8004 ==> OWNER:S-1-5-21-182694069-1167759452-2038352965-500 GROUP:S-1-22-2-1000 ACL:S-1-5-21-182694069-1167759452-2038352965-500:0/0x0/0x001f019f ACL:S-1-22-2-1000:0/0x0/0x00120089 ACL:S-1-1-0:0/0x0/0x00120089 Owner should be S-1-5-32-544 from token.