On Tue, 8 Jan 2019 13:19:34 +0100
L.P.H. van Belle <belle at bazuin.nl> wrote:
> > I thought that an object inherited rights from the object above it
> > i.e. nested groups
> > So a group that is a member of Domain Admins would have the same
> > rights as Administrators, because Domain Admins is a member of
> > Administrators, or am I missing something ???
> No, this is correct what your thinking, but now add the SePrivileges
> to this. But if we think in GROUP ACL only then we are thinking
> wrong. 
Ah, I think I understand where we differ, you are talking about ACLs
and I am talking about ownership.
I am suggesting using a group that isn't 'Administrators' or
'Domain
Admins' to be the Unix group, this would then allow 'Administrators'
and
'Domain Admins' to own things in sysvol. If the new group is given the
'SeDiskOperatorPrivilege', then members of that group could make the
required changes to the ACLs from Windows. 
Or to put it another way, replace 'Domain Admins' with the new group
wherever it appears on this wiki page:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Rowland