Local SMB Groups

You can create local SMB groups on the system that runs the SMB server. These SMB groups apply only to users that are connected through SMB.

Local groups use privileges to provide a secure mechanism for assigning task responsibility on a system-wide basis. Each privilege has a well-defined role assigned by the system administrator to a user or a group.

The SMB server supports the following built-in SMB groups:

  • Administrators – Members of this group can fully administer files and directories on the system.

  • Backup Operators – Members of this group can bypass file security to back up and restore files.

  • Power Users – Members of this group can share directories.

Unlike access rights, which are assigned as permissions on a per-object basis through security descriptors, privileges are independent of objects. Privileges bypass object-based access control lists to allow the holder of the privilege to perform the role assigned. For example, members of the Backup Operators group must be able to bypass normal security checks to back up and restore files they would normally not be able to access.

The difference between an access right and a privilege is as follows:

  • An access right is explicitly granted or denied to a user or a group. Access rights are assigned as permissions in a discretionary access control list (DACL) on a per-object basis.

  • A privilege is a system-wide role that implicitly grants members of a group the ability to perform predefined operations. Privileges override or bypass object-level access rights.

You cannot modify the privileges for the built-in SMB groups. However, you can assign any of the following privileges to the user-defined local groups:

  • Back up files and directories – Perform backups without requiring read access permission on the target files and folders.

  • Restore files and directories – Restore files without requiring write access permission on the target files and folders.

  • Take ownership of files and folders – Take ownership of an object without requiring take-ownership access permission.

By default, members of the local Administrators group can take ownership of any file or folder, and members of the Backup Operators group can perform backup and restore operations. Members of the Power Users group do not have default privileges.

For more information, see Managing SMB Groups and the smbadm(8) man page.