Topic: Changing Domain User Permissions

[lightnb]

I've read through the manual and have been searching Google for a while now, but can't seem to find the answer I'm looking for.

I've setup SME server 7 to be a domain controller, and I can login as a domain user on any of my Windows XP machines.

The problem is, all of my domain users when logged in have really limited permission set. The computer doesn't allow them to delete shortcuts off of the desktop, and they can't change their password using ctrl+alt+delete > change password, among other things.

How and where can I configure what rights the domain users have when logged in on a machine? Currently only the 'local users' show up in control panel > user accounts and in administrative tools.

Thanks for your assistance,

Nick

[ronaldson40]

Hi
As you would be aware that when SME  has Domain Controller function enabled, it has a folder called netlogon associated with it.

If you have not used the netlogon folder before, i.e if this is your first time, the netlogon folder will contain only the netlogon.bat which you can use for login script.
In addition to the netlogon.bat, you can create a file called ntconfig.pol to set user and group permissions.

Do the following steps to set permissions to users groupwise or user-wise:
I. Process - 1

1. Make sure you have the domain controller option switched on.
2. Log into SME Server using the root user account instead of the admin.
3. At the command prompt, run a command to edit the smb.conf file.

Code: [Select]

vi /etc/samba/smb.conf

4. Enter insert mode, and look for a share called netlogon. Change the option browseable to YES from NO
5. Save the smb.conf file.
6. Restart your Samba server

Code: [Select]

service smb restart
7. Now log into one of your xp machine as the local Administrator.
8. Go to Run and type the following

Code: [Select]

\\yourservername
9. Click enter. At the login prompt, login with the admin user and password.
10. If you are able to see the netlogon folder, you have finished an important process.

Process -2
1. Download a program called Poledit.

2. Follow the instructions on this site to make the ntconfig.pol file.

http://www.pcc-services.com/articles/implement_sys_policies.html

3. Upload this ntconfig.pol file to the netlogon share.

4. Restart your server(not required usually)

5. Now try logging into the machines

[skydivers]

Hi
As you would be aware that when SME  has Domain Controller function enabled, it has a folder called netlogon associated with it.

If you have not used the netlogon folder before, i.e if this is your first time, the netlogon folder will contain only the netlogon.bat which you can use for login script.
In addition to the netlogon.bat, you can create a file called ntconfig.pol to set user and group permissions.

Do the following steps to set permissions to users groupwise or user-wise:
I. Process - 1

1. Make sure you have the domain controller option switched on.
2. Log into SME Server using the root user account instead of the admin.
3. At the command prompt, run a command to edit the smb.conf file.

Code: [Select]

vi /etc/samba/smb.conf

4. Enter insert mode, and look for a share called netlogon. Change the option browseable to YES from NO
5. Save the smb.conf file.
6. Restart your Samba server

Code: [Select]

service smb restart
7. Now log into one of your xp machine as the local Administrator.
8. Go to Run and type the following

Code: [Select]

\\yourservername
9. Click enter. At the login prompt, login with the admin user and password.
10. If you are able to see the netlogon folder, you have finished an important process.

Process -2
1. Download a program called Poledit.

2. Follow the instructions on this site to make the ntconfig.pol file.

http://www.pcc-services.com/articles/implement_sys_policies.html

3. Upload this ntconfig.pol file to the netlogon share.

4. Restart your server(not required usually)

5. Now try logging into the machines

Ronaldson you describe it very well, thumbs up for that. The only thing is, when you change some config files (eg. vi /etc/samba/smb.conf)  you should use custom templating to achieve this. Otherwise changes get lost.

[ronaldson40]

Thanks.

I am not that experienced with SME.
Its just been a month.

Can you give me a link on how to work with templates

Regards
Ronaldson

[cactus]

Wouldn't it be easier to add the Authenticated Users or Domain Users group to the Power User or if prefered Administrator group for every PC? The only thing you need to do is add users to the correct group on SME Server, you won't have the hassle with policies.

[lightnb]

Thanks guys!

Even though the netlogon folder isn't visible, you can still get to it by manually keying in it's name.

I've downloaded the policy editor and am going to have to play with it vs. adding users to the existing groups. the poledit tool seems to give finer control though.


Thanks again,


Nick

[ronaldson40]

Hey you should  use NUTS(Network UTilities Set) along with Poledit...

With NUTs you can make your own ADM files from REG files exported from the registry.

http://yizhar.mvps.org/files/NUTS.TXT

Download from
http://yizhar.mvps.org/

[rcrcomputing]

When I first logged into the domain on a fresh install tonight and when I logged to the xp machine as admin, I was not a local administrator of the machine...      ???

I created a group called admins and in the description of that group I put Domain Admins. Then "net groupmap list" shows the group "Domain admins" and it seemed to work.

Seems a bug to me??   The admin user should be a local machine administrator I would think..