samba - Aug 2014 - Samba 4.1 DC Account Operators permissions problem

There appears to be a bug in the samba 4.1 DC builtin group Account Operators
permisssions.

By definition, members of the Account Operators group can add, edit, and delete
normal user accounts in the domain, except those for domain user accounts who
are members of domain Account Operators, Administrators, Backup Operators, Print
Operators Server Operators, and Domain Admins. This account is very useful for
delegating some authority to selected users so that they can create and manage
user accounts without having access to the administration groups.

In our samba 4.1 domain, a freshly created domain user account that has
membership only to Domain Users and Account Operators groups actually then has
full permissions to modify (and add to) the Administrators and Domain Admins
groups. This is not expected behavior!

I have verified this behavior on our working domain with samba 4.1.10 DCs.  Also
I set up a simple test domain with a samba 4.1.6 DC and it also displays the
incorrect behavior above.

Can anyone suggest a fix for this problem?

____________________________________________________________

Jim O'Neill
IT Manager
School of Environmental and Rural Science
Faculty of Arts and Sciences
University of New England
Armidale NSW 2351 Australia
Email:joneill at une.edu.au
Phone: 02-6773-2667
Mob: 0409-200-340
Fax: 02 6773 2769
_____________________________________________________________