End-user AD settings and permissions, which created session with Samba server, will be preserved and unchanged until the end of the openned session. Thus removing or adding user to/from Print Admin group in AD will not effect a user, if created session with Samba server. Steps to reproduce: Configure print server and register it to AD. User, that defined in Admin group, browses to samba server by its NetBIOS name. Verify that user can act as administrator (for example upload printer drivers) In AD remove user from Admin group. User still can acts like as admin. Only when logged off from win machine or samba server restarted, new user's permissions will be updated.
this is by design. The token is created at logon time.