The user privilege model was introduced in Samba 3.0.11 to alleviate the need to log on as root to perform certain administrative duties, such as joining client machines to a Samba domain or managing printer properties. A user privilege, sometimes called a user right, is the inherent capability to perform certain actions regardless of the access control settings. For example, a printer administrator should be able to manage printer settings irrespective of whether the printer’s security descriptor allows his user account administrative access. Currently Samba supports eight different privileges, which are described in Table 5-15, along with references to the chapter that fully covers each one.

Table 5-15. Samba user privileges

Privilege	Description
SeAddUsersPrivilege	Add, modify, and delete users, as well as group membership (Chapter 9).
SeBackupPrivilege	Not currently used.
SeDiskOperatorPrivilege	Create, modify, and remove file shares, as well as modify share ACLs (Chapter 9).
SePrintOperatorPrivilege	Create, modify, and remove printers, print drivers, and forms (Chapter 7).
SeMachineAccountPrivilege	Add and remove client machines from a Samba domain (Chapter 9).
SeRemoteShutdownPrivilege	Issues requests to initiate and abort a shutdown of the Samba server (Chapter 9).
SeRestorePrivilege	Set the ownership of a file or directory to an arbitrary user (Chapter 6).
SeTakeOwnershipPrivilege	Take possession of a file or directory (Chapter 6).

The first thing that must be done to take advantage of this administration delegation model is to enable the feature in smb.conf:

  [global]
      enable privileges = yes

Table 5-16 provides a short description of the enable privileges parameter, as well as its current default value.

Table 5-16. User-privilege-related parameters

Parameter	Value	Description	Default	Scope
enable privileges	boolean	Controls whether smbd supports the assignment and honoring of user rights assignments.	no a	Global

Once this feature is enabled, the primary means of managing privilege assignments on a Samba server is the rpc rights subcommand of the net utility.

It is possible to manipulate user rights assignments with the Windows NT 4.0 User Manager for Domains utility, but only when run from a Windows NT 4.0 client. This specific functionality in usrmgr.exe does not work correctly when run from a Windows 2000 or later client, due to a bug in the application.