Bug 12796 - "Account Operators" group permissions
Summary: "Account Operators" group permissions
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.12.6
Hardware: All All
: P5 critical (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-05-19 20:31 UTC by cleberson
Modified: 2020-10-07 09:16 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description cleberson 2017-05-19 20:31:10 UTC

Following the link reference (https://wiki.samba.org/index.php/Delegation/Account_management) on the "Account Operators" group, i noticed that the users of this group are allowed to change administrative group users.

In the link below, Microsoft reports that this is not possible:

"Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights."


Raising the Domain/Forest functional level to WS2008_R2 and applied the command "samba-tool dbcheck --reset-well-known-acls --fix --yes" and also did not correct.

Is it possible that the default acls in this group are wrong in the db of samba?

If you have a suggestion to correct, I'm grateful.

Comment 1 Björn Jacke 2020-08-19 15:32:39 UTC
I can confirm this. Windows AD is acting as documented, permission to change admin user and groups, not my ACL permissions but hard-wired. Samba allows all Account Operators to modify administrative users and groups.
Comment 2 Björn Jacke 2020-08-19 15:34:20 UTC
(In reply to Björn Jacke from comment #1)
missed a word: permission to change admin user and groups *denied*