RIDs and userid's and roaming profiles
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Thu Mar 12 21:11:58 GMT 1998
On Thu, 12 Mar 1998, Brian Burke x0839 wrote:
> > On Thu, 12 Mar 1998, Brian Burke x0839 wrote:
> > > HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Window NT/CurrentVersion/ProfileList/
> > > S-1-5-21-XXX-XXX-XXX-500
> > >
> > > this 500 number coming from? Could something be going wrong with the
> > > NT Domain logon so the uid isn't being set and NT then picks 500 for the
> > > guest user or something like that?
> > I thought 500 was the RID for the Administrator account. Could be wrong
> > though. I'm sure it is one of the built-in accounts. Are the users
> > specified in the 'domain admins =' parameter in smb.conf by chance?
> > Interesting, though. I think one of my NT 4.0 boxes is having the same
> > problem. I haven't traced it to the user RID yet but the symptoms are
> > similar to the ones you descibe.
> > j-
> Your timing is amazing Jerry... as I was just walking back to my computer
> to write my own response to this problem your message arrived!
> Yes, the problem was the domain admin = param for some of the users.
> Is this the way it is supposed to work? I thought that I should be
> able to give certain users (such as myself), the ability to act as
> Administrator on any machine through the normal user account. The user
> that logged in to the Domain is brianb... not Administrator. I was
> thinking that this situation is similar to doing an su command in UNIX...
> having super-user access but still with username and uid of the calling
ok, this is where some assistance from microsoft would come in handy.
info: paul ashton informs me that you can specify a username / password /
domain in the LSA_SAMLOGON, and respond with a _different_ username and
(effectively) an arbitrary Primary Group RID and Primary User RID.
info: in the code, i append non-primary groups specified by "domain admin
users" and "domain guest users" onto the list of groups. from what you
are saying, this causes things to go awry. but maybe this is a _feature_
of NT workstation: if you specify that some of your users are
administrators, they all share the same profile.
More information about the samba-ntdom