admin users = '@DOM+Domain Admins'
and adding a user of this group with full access to a share (using WinNT Server
Manager) the user may not access the share.
denied due to security descriptor.
Volker Lendecke provided the following explaination:
The list of SIDs is generated twice. During Session Setup and while accessing
the share. During Session Setup everything is fine. Later the UID is replaced by
0. While accessing the share a new token is generated. This time the wrong RID
probably not going fix this in Samba 3.