Topic: Domain group problems

[mscdex]

I read through the wiki and the forums and saw that you can somehow automagically assign local workstation roles to certain domain groups by changing the description of the domain group to the local workstation role you wish to assign. I tried this but it does not make the members of the domain group have the specified local role.

For example, I have the domain group "students" with a description of "Power Users" in the server-manager groups section. When I log into an account ("student") that is a member of this domain group, the user does not have "Power Users" priviledges as I had hoped. Instead, when I use a windows console utility like "ismember.exe -l" or "net user student /domain", they tell me that I am indeed not a local "Power User" but a member of a global domain group called "Power Users" instead.

Is there a step I am missing in this? If this does not work as intended, I guess I will have to resort to manually adding the domain group(s) to the local "Power Users" role on every machine via the net command (through login scripts of course). I prefer the automagic way of course if possible

Also, I had one other small related question. When I create a user in the server-manager users section, it creates a domain group with the same name as the username I just created. I'm pretty sure this shouldn't be happening but then again I do not know what could be causing it. I cannot think of any contribs I installed that would have modified anything to do with the domain users or groups.

[cactus]

I read through the wiki and the forums and saw that you can somehow automagically assign local workstation roles to certain domain groups by changing the description of the domain group to the local workstation role you wish to assign. I tried this but it does not make the members of the domain group have the specified local role.

For example, I have the domain group "students" with a description of "Power Users" in the server-manager groups section. When I log into an account ("student") that is a member of this domain group, the user does not have "Power Users" priviledges as I had hoped. Instead, when I use a windows console utility like "ismember.exe -l" or "net user student /domain", they tell me that I am indeed not a local "Power User" but a member of a global domain group called "Power Users" instead.

Are you sure you are running a domain and not a workgroup environment?

What is the output of

Code: [Select]

db configuration getprop smb DomainMaster
and

Code: [Select]

net rpc info -Uadmin
and

Code: [Select]

net groupmap list

I had one other small related question. When I create a user in the server-manager users section, it creates a domain group with the same name as the username I just created. I'm pretty sure this shouldn't be happening but then again I do not know what could be causing it. I cannot think of any contribs I installed that would have modified anything to do with the domain users or groups.

No that is default behavior of SME Server, but those groups are not domain groups AFAIK.

[cactus]

Perhaps this is why it will not work if you have set everything properly: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2591649 , it explains that the Power Users group is not a domain group, but a local group and hence you will have to assign users/groups to it on each workstation individually by hand.

[mscdex]

Perhaps this is why it will not work if you have set everything properly: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2591649 , it explains that the Power Users group is not a domain group, but a local group and hence you will have to assign users/groups to it on each workstation individually by hand.

I saw that link earlier but was confused because it seemed to contradict what the SME documentation appeared to allude to. I ended up having the users' login script run the necessary 'net localgroup "Power Users" "DOMAIN\DomainGroup" /add' command only once so that they are automatically set on the workstation without any sort of manual visiting of each machine.

What exactly is the benefit of putting the local workstation role as the description of the domain group then in the server-manager group section?

Edit: My SME server is controlling both a domain and workgroup. My 'net groupmap list' shows groups for both domain groups as well as each and every user that exists on the server. All of the groupmap listings I could find on the forum here that people have pasted do not show any of their individual users like what happens in my case, they just have their domain groups displayed.

[cactus]

What exactly is the benefit of putting the local workstation role as the description of the domain group then in the server-manager group section?

There is a use, but not for the Power Users group as this is defined by Windows as a host only (and not a domain group).

I use the method for my Domain Administrators, but it should work for others like Domain Guests. The Domain Users is linked to the shared group by default, which should hold the users created on SME Server (even the service users like www, public and guest).

A windows domain only has them by default all others are non standard and not supported by domains by default and need a workaround like you are using now for your Power Users group.