In a Windows Server 2008 Active directory environment users cannot write to the root of the sysvol share. In a samba 4 active directory they can.
I've tested this myself with a normal user account (group "domain users") and this wasn't possible. Probably you are using an older s4 release where this still was allowed - but now (recent GIT checkouts) it shouldn't anymore. If this is true then please upgrade!