[Samba] How to allow users to be local admin

Thu Sep 5 08:58:04 MDT 2013

Its been a long time, but I think NTPoledit would let you create a .pol
file you could put on the netlogon share and have the groups linked.
Example, make a domain group called privileged and then create a policy
that adds the privileged group to the local admins group... It'd be worth a
shot.

Ricky

On Thu, Sep 5, 2013 at 2:21 AM, Götz Reinicke - IT Koordinator <
goetz.reinicke at filmakademie.de> wrote:

> Am 04.09.13 17:00, schrieb Gregory Sloop:
> >
> >
> > GRIK> Am 02.09.13 18:20, schrieb Marc Muehlfeld:
> >>> Hello Götz,
> >>>
> >>> Am 02.09.2013 14:43, schrieb Götz Reinicke - IT Koordinator:
> >>>> it's some time that I had to touch our samba installation and may be
> >>>> somewon can point me to the right direction.
> >>>>
> >>>> We run a samba-3.6.9 PDC with ldap backend and windows 7 clients.
> >>>> Everything for normal users is working fine (domain logon, roaming
> >>>> profiles).
> >>>>
> >>>> But now we'd like to enable our systemadministartors to login to any
> >>>> workstation with there domain user and install software or do other
> >>>> administrative things.
> >>>>
> >>>> I'v read a bit about domian accounts and mappings. But I'm not sure
> >>>> where to add or change what.
> >>>>
> >>>> The admins affected are also in a special posix group.
> >>>>
> >>>> There are also "Domain Admins" and "Administrators" posix groups and
> net
> >>>> groupmap entries.
> >>>>
> >>>> Would be great if some one can help me.
> >>>
> >>> I'm not sure if this is possible with an NT4-style domain. With (Samba)
> >>> AD it is, if you plan to migrate. Then you can use "restricted groups"
> >>> for that
> >>> (
> http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
> ).
> >>>
> >>>
> >>> I don't know how many clients you have. If it's a manageable size, you
> >>> can create a group in your domain, go to each workstation and add this
> >>> domain group to the local administrators group once. Then everyone who
> >>> is member of that domain group is automatically local admin on each of
> >>> that machines (this is what you do with the "restricted group" in AD in
> >>> 2 mins, without leaving your desk). You only have to add this domain
> >>> group on every PC you reinstall.
> >>>
> >>> But if it's a possibility, migrate to Samba AD. AD brings you many
> great
> >>> features, expecially GPO, multi master replication, etc.
> >
> >
> > GRIK> Hi Marc, currently we dont plan a change to Samba AD, and editing
> every
> > GRIK> client to support local grous sounds currently a bit to mutch. (we
> have
> > GRIK> about 200 windows clients and one admin :) )
> >
> >
> > GRIK> Is ther not any other chance or way? The admins are very reliabel,
> so
> > GRIK> they also might have more rights as the "normal" local admin.
> >
> > GRIK> I was thinking of may be putting tham in the group "Domain Admins"
> which
> > GRIK> is also used to add workstations to the domain.
> >
> > GRIK> Or is that something different regarding rights?
> >
> > GRIK> Thanks for your feedback. /Götz
> >
> > Yes, making those users members of the "Domain Admins" group will
> > "fix" it - but it also has the *usually* undesired side-effect of also
> > making those people *DOMAIN ADMINS!*!!
> >
> > Making a domain group members of the local Admins group on each
> > machine also works without the side-effect of giving them domain root
> > equivalent accounts.
> >
> > The first can be done from a single action on the DC - but the second
> > generally requires action at each station. [Without and AD controller
> > that is.]
> >
> > So, roll the dice. Do you really trust that these folks you want to
> > have local admin privs won't whack the domain intentionally or
> > unintentionally? If you feel good enough about that - then perhaps
> > it's right for you.
>
> Hi Greg,
>
> thanks for pointing that out, I'll get some dices and check with the
> head of departement (currently only three people are considered to be
> domain admins including me)
>
>         Regards . Götz
>
> --
> Götz Reinicke
> IT-Koordinator
>
> Tel. +49 7141 969 82 420
> Fax  +49 7141 969 55 420
> E-Mail goetz.reinicke at filmakademie.de
>
> Filmakademie Baden-Württemberg GmbH
> Akademiehof 10
> 71638 Ludwigsburg
> www.filmakademie.de
>
> Eintragung Amtsgericht Stuttgart HRB 205016
>
> Vorsitzender des Aufsichtsrats: Jürgen Walter MdL
> Staatssekretär im Ministerium für Wissenschaft,
> Forschung und Kunst Baden-Württemberg
>
> Geschäftsführer: Prof. Thomas Schadt
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>