Topic: Windows domain admin rights

[brianr]

when using the SMEserver (6.0.1 + updates) as a domain controller to XP clients, the clients "only" gets user rights.  

Does anyone know if/how i can set things so that some of the users receive admin rights on the client?

TIA

Brian

[madmanfree]

If you are on about local rights on the xp machine then the users need to be added to the administrators group to be given full admin rights. The group domain admins is added to this by default.
In XP Pro. Right click My PC "Manage" then add the appropriate user to the appropriatte group.

[brianr]

My point is that the user is not "local" it is authenticated over the network to the SMEserver acting as a domain controller, consequently there is no entry for the user on the local PC to be configured. "rights" are passed in some way from the DC when the login is authenticated.

B.

[raem]

brianr

There is a choice where you can select All Authenticated Users and give all users who login to sme server, say Power User rights or whatever you wish.

[brianr]

Ray

Yes, I am sure i have seen that somewhere, but it is not in the usual "users" screens.

cheers

B.

[azche24]

We need to give the user full administrative rights at the WS for some "evil" lawyer-software, that needs this.

I add the users at server being normal users in a group called "worker" (read access for APPS-Directory and rw for DATA).

My point is that the user is not "local" it is authenticated over the network to the SMEserver acting as a domain controller,

Then i add thes domain-users e.g. DOMAIN\user1 to the apropriate WS and give them administrative rights there.

And i have to repeat that at every WS, the user will be working on.

Nice MS-Stuff - I think you call that "sneaker-administration"?

[Brave Dave]

mkdir -p /etc/e-smith/templates-custom/etc/smb.conf/
cp \
/etc/e-smith/templates/etc/smb.conf/11domainAdminGroup \
/etc/e-smith/templates-custom/etc/smb.conf

edit the fragment;
change the line to read;
domain admin group = admin @shared

save and;

/sbin/e-smith/signal-event ibay-modify

log off and log on at workstation

[brianr]

Then i add thes domain-users e.g. DOMAIN\user1 to the apropriate WS and give them administrative rights there.

This is the bit I cannot work out how to do....?

B.

[raem]

brianr

> I am sure i have seen that somewhere, but it is
> not in the usual "users" screens.

Try this (applicable to Win2K but mostly the same in WinXP)

Log on to the workstation as Administrator
select Start/Settings/Control Panel/Administrative Tools/Computer Management/System Tools/Local Users and Groups/Groups

Highlight the Administrators group (or whichever group you want to make Authentcated Users a member of
Right click the group/select properties/Click Add button/select local machine name at the top/highlight Authenticated Users/click Add button/click OK/click OK again

[raem]

david

> edit /etc/e-smith/templates-custom/etc/smb.conf/11domainAdminGroup to read:
> domain admin group = admin @shared

Thanks for that tip David. What does adding @shared  actually do ?
I read this in the frgament:

This parameter is intended as a temporary solution to enable
users to be a member of the "Domain Admins" group when a Samba
host is acting as a PDC. A complete solution will be provided
by a system for mapping Windows NT/2000 groups onto UNIX groups.
Please note that this parameter has a somewhat confusing name.
It accepts a list of usernames and of group names in standard
smb.conf notation.


Does this mean I have to add allowed admin users to a list somewhere ?

I asume I could directly add various users names (to the fragment) that I want to be admins eg

domain admin group = admin fred mary john

Thanks

[Brave Dave]

Yes you are right, add individual users

@shared is everyone who has an account in sme server manager

effectively the permissions at the workstation level  are wide open for things ike add a printer, install a program; but network access security is intact.

[raem]

Thanks David

[jasperminute]

You might also try

net localgroup "Power Users" "Domain Users" /add

or something similar in netlogon.bat

[brianr]

I've now tried the modifcation of the template for smb.conf, as described above, and it seems  to work fine, subject to a bit more in depth testing.

Many thanks for help guys...

Cheers

Brian

[kruhm]

just for complete documentation...
i guess the real answer would be, it depends on what is included in your "SMEserver (6.0.1 + updates)"?

rpm -q samba

If samba-2.x.x, then the above is correct.

If samba-3.x.x, then you can map a SMEserver group/samba group to Microsoft Windows NT4/200x/XP groups easily (very cool).
-view current list of 'built-in' groups with: net groupmap list
-create a new group with the server-manager
-for the description put in your chosen group from the groupmap list

for more info:
chapter 11 at http://www.samba.org/samba/docs/man/Samba3-HOWTO/
man net
net groupmap