Topic: Admin Rights - One more time

[troykd]

I'm not a Linux programmer.  I'd like to find the EASIEST way to assign admin rights to a couple users so they can run software that requires it.

All of the template fragment stuff is greek.  Anyone know an easy way to do this.  I thought it would have been built in to the user or group interface on server-manager.

[slords]

I'm not a Linux programmer.  I'd like to find the EASIEST way to assign admin rights to a couple users so they can run software that requires it.

[...] I thought it would have been built in to the user or group interface on server-manager.

If you are using SME Server as a domain controller and the workstations have joined the domain then the following is possible.

The domain always has three groups created, "Domain Admins", "Domain Users", "Domain Guests".  These are usually assigned to as follows:

Domain Admins => admin
Domain Users => shared (everyone)
Domain Guests => nobody

However if you create a group and name it whatever you want but put one of the above for the description then the newly created group will replace the above mapping.

So if you create a group called "admins" and give it a description of "Domain Admins" then anyone you assign to this group will be a domain admin and also a local admin on ANY box that has joined the domain.

[troykd]

Excellent!  Thank you very much.

Troy

[brianr]

I've just tried this today, and haven't yet got it to work.  SME7 without the _very_ latest updates.  XP pro SP2 on the client.

I created a group called "powerusers" and made the description "Domain Admins", then added a couple of users, then did a post-upgrade (incase templates where involved), then re-booted, then (domain) logged in as one of the users. and used my standard test to see if it would allow me to change the system time by double clicking the time in the system tray - it wouldn't.

I looked in various templates and /etc/smb.conf, but couldn't find any entries.

Anyone know if/how it works?

[troykd]

Go to the server-manager.  Set up the Groups page like the following (this is my example)

Current list of User Groups
Group         Description
roamuser        Domain Users
admins        Domain Admins

Name the Groups anything you want.  The description sets the rights.

Then assign your users to the apporpriate Group and you're done.

[brianr]

aha, I think i can see the problem - I only created the "admins" group, whereas I guess I have to "cover" all the users with the "users" and "admins" group.  I will try on Thurs when I get back to the site.

Many thanks.

Can anyone tell me if this works in 6.0.1?

[troykd]

The admin group could be called anything, you can call it "monkeys".  They'll get the admin rights as long as you call the group description for them is described as "Domain Admins"

Ditto for users.  Description needs to be "Domain Users"


I may be wrong, but this worked for me.....

[brianr]

yes, but my point is that that you need "both" groups created with (presumably)  no overlap. i am going back to try it today..

[cactus]

yes, but my point is that that you need "both" groups created with (presumably)  no overlap. i am going back to try it today..

Overlap should not be a problem as a domian user can be a domain admin, although I don't prefer to overlap. Users should not by default be logged on to the domain to access thir mail and browse the internet, they should have a normal user account for that.

[cactus]

Ditto for users.  Description needs to be "Domain Users"

You do not need to modify the "Domain Users" group as all users that are made on SME Server by default are added to the linux group called "shared" which in turn is mapped to the "Domain Users" group by default. If you want to make a group of domain administrators you will have to create a new group with the description "Domain Admins" as the Domain Administrator group is by default mapped to the (linux) admin user.