Description of Privileges
The privileges that have been implemented in Samba-3.0.11 are shown below. It is possible, and likely, that
additional privileges may be implemented in later releases of Samba. It is also likely that any privileges
currently implemented but not used may be removed from future releases as a housekeeping matter, so it is
important that the successful as well as unsuccessful use of these facilities should be reported on the Samba
This right determines whether or not smbd will allow the
user to create new user or group accounts via such tools
net rpc user add
NT4 User Manager for Domains.
Accounts that possess this right will be able to execute
scripts defined by the
share command in
smb.conf file as root. Such users will
also be able to modify the ACL associated with file shares
on the Samba server.
This right controls whether or not the user can join client
machines to a Samba-controlled domain.
This privilege operates identically to the
option in the
smb.conf file (see section 5 man page for
except that it is a global right (not on a per-printer basis).
Eventually the smb.conf option will be deprecated and administrative
rights to printers will be controlled exclusively by this right and
the security descriptor associated with the printer object in the
Samba provides two hooks for shutting down or rebooting
the server and for aborting a previously issued shutdown
command. Since this is an operation normally limited by
the operating system to the root user, an account must possess this
right to be able to execute either of these hooks.
This right permits users to take ownership of files and directories.