Hello everyone, we are in the process of changing from a Windows Domain to a Samba Domain and tried to implement some restrictions for OU-Admins. In the Windows Domain those restrictions can be implemented with Security ID: S-1-3-4 (Owner Rights). In our old Windows Domain everything works fine and as expected. In our Samba Domain, it doesnt work. We tried to implement the same rights as in our old domain from gui and command line. Samba Version 4.12.6 Here a small bash script to setup an example via command line: ============ #!/bin/bash # variables used in the script TestOU="TestSamba-OU-OWNER-RIGHTS" TestUser="TestSamba-User-OR" TestUserPWD="TestUserPW1!" TestGroup="acl-ad_TestSamba-Group-OR_ou-rw" Base_OU_DN="DC=ad,DC=something,DC=com" Group_OWNER_RIGHTS="OWNER RIGHTS" AD="AD\\" Test_OU_DN="OU=${TestOU},${Base_OU_DN}" # delete Test_OU_DN ( might be necessary to run script multiple times ) # samba-tool ou delete "$(Test_OU_DN)" --force-subtree-delete # echo of all used variables echo "Test-OU: ${TestOU}" echo "Test-Group: ${TestGroup}" echo "Test-User: ${TestUser}" echo "Test-User_PWD: ${TestUserPWD}" echo " " echo "Base_OU-DN: ${Base_OU_DN}" echo "Test-OU-DN: ${Test_OU_DN}" # create TestOU samba-tool ou create ${Test_OU_DN} # create two? OUs within TestOU samba-tool ou create "OU=Test1_with_Owner-Rights,${Test_OU_DN}" samba-tool ou create "OU=Test2_without_Owner-Rights,${Test_OU_DN}" # add group to TestOU samba-tool group add ${TestGroup} --groupou OU=${TestOU} --description="Group for OWNER-RIGHTS test" # add user to OU samba-tool user add? ${TestUser} ${TestUserPWD} --userou OU=${TestOU} # add TestUser to TestGroup samba-tool group addmembers ${TestGroup} ${TestUser} # set OWNER RIGHTS only for OU Test1_with_Owner-Rights samba-tool dsacl set --objectdn "OU=Test1_with_Owner-Rights,${Test_OU_DN}" --sddl="(A;CI;RPLCRC;;;S-1-3-4)" # get groupid and sid from TestGroup # groupid=$(samba-tool group show ${TestGroup} --attributes=objectGUID | grep objectGUID | cut -d " " -f2 -) sid=$(samba-tool group show ${TestGroup} --attributes=objectSid | grep objectSid | cut -d " " -f2 -) # Organizational-Unit class with Schema-Id-Guid bf967aa5-0de6-11d0-a285-00aa003049e2 accessrights="(OA;CI;CCDC;bf967aa5-0de6-11d0-a285-00aa003049e2;bf967aa5-0de6-11d0-a285-00aa003049e2;$sid)" # add Organizational Unit access rights to the two OUs samba-tool dsacl set --objectdn "OU=Test1_with_Owner-Rights,${Test_OU_DN}" --sddl="${accessrights}" samba-tool dsacl set --objectdn "OU=Test2_without_Owner-Rights,${Test_OU_DN}" --sddl="${accessrights}" =============== In the First OU the User should be restricted by OwnerRights ( "OU=Test1_with_Owner-Rights" ) and in the second OU ("OU=Test2_without_Owner-Rights") he should not be restricted. *The OwnerRights (set up as described above) are not working in our Samba Domain. * *Any suggestions are welcome.* Kind regards, Gunnar Bandelow