The Samba-Bugzilla – Bug 12796
"Account Operators" group permissions
Last modified: 2017-05-19 20:31:10 UTC
Following the link reference (https://wiki.samba.org/index.php/Delegation/Account_management) on the "Account Operators" group, i noticed that the users of this group are allowed to change administrative group users.
In the link below, Microsoft reports that this is not possible:
"Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights."
Raising the Domain/Forest functional level to WS2008_R2 and applied the command "samba-tool dbcheck --reset-well-known-acls --fix --yes" and also did not correct.
Is it possible that the default acls in this group are wrong in the db of samba?
If you have a suggestion to correct, I'm grateful.