Ownership issues migrating data from Windows to FreeNAS...

[yois]

Yes, the DC has such a group, but it isn't meant for assinging permissions to anything but DCs in the network. I'm not sure about the technical SID behind the group, but it seems it has no effect on member servers, which is how FreeNAS is installed in your situation.

 

[SnakeByte]

but it isn't meant for assinging permissions to anything but DCs in the network.

I'm not sure I follow. The default behavior of Windows is to assign "Administrators" as owner of a file/folder when a file/folder is created by a administrator account (Anyone that is a member of the Administrators group). This would include people in the Domain Admins group if AD is involved because Domain Admins becomes a member of each computer account's local "Administrators" group. You can read about this behavior here: https://technet.microsoft.com/en-us/library/cc961992.aspx

So this behavior is the same for computers joined to a domain, but also in situations where no domain is present.

This behavior clashes with Samba's because, for unknown reasons, Samba refuses to use the userid of the Administrators group. (For all other groups, Samba correctly copies the groupid of the group and uses that for the owner).

 

[yois]

Let me explain with an example:

Say you have a user DOMAIN\John. If you make him a member of the "Administrators" group in Active Directory, he will have login rights to log in to the Domain Controller and manipulate files on the DC as he wishes. But if he logs in to a workstation in the same domain, he won't have admin rights to the workstation. That is because the Administrators group is really a fake group for local admin rights to the DC only. It doesn't affect other machines on the domain.

In other words, the scope of the group doesn't extend past the DC, so it's use is limited, and you are hitting one of those limitations.

 

[SnakeByte]

Yois,

I think you're missing one important fact about BUILTIN's ... the SIDs are fixed. BUILTIN\Administrators is S-1-5-32-544 on all windows machines. This is why robocopy /copyall works perfectly fine from windows to windows machines. All machines already have the same accounts/groups -- even DC's that don't otherwise have local accounts. They're "BUILT IN."