The Samba-Bugzilla – Bug 7586
Users should not be able to write to the root of the sysvol share
Last modified: 2010-09-11 12:31:52 UTC
In a Windows Server 2008 Active directory environment users cannot write to the root of the sysvol share. In a samba 4 active directory they can.
I've tested this myself with a normal user account (group "domain users") and this wasn't possible.
Probably you are using an older s4 release where this still was allowed - but now (recent GIT checkouts) it shouldn't anymore. If this is true then please upgrade!