Following the link reference (https://wiki.samba.org/index.php/Delegation/Account_management) on the "Account Operators" group, i noticed that the users of this group are allowed to change administrative group users.
In the link below, Microsoft reports that this is not possible:
"Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights."
Raising the Domain/Forest functional level to WS2008_R2 and applied the command "samba-tool dbcheck --reset-well-known-acls --fix --yes" and also did not correct.
Is it possible that the default acls in this group are wrong in the db of samba?
If you have a suggestion to correct, I'm grateful.
I can confirm this. Windows AD is acting as documented, permission to change admin user and groups, not my ACL permissions but hard-wired. Samba allows all Account Operators to modify administrative users and groups.
(In reply to Björn Jacke from comment #1)
missed a word: permission to change admin user and groups *denied*