Users with SeMachineAccountPrivilege right are able to change users and groups accounts
Using samba-3.3.4-0.1.146 on PPC SLES10.
Can you please upload your smb.conf together with a debug level 10 log of smbd doing an operation that it should have denied?
Volker, I remember that we worked (hopefully fixed) exactly this during the samr cleanup for 3.4.
Ok, you're the boss here :-)
Do you have a chance to use a recent 3.4 release ? There have been quite some fixes in the area of these access checks that should resolve your issue.
There won't be a new 3.3.x release as this is a discontinued series, so no backports for these access checks are available right now.
I've upgraded to 3.5.1 and will look into this.