designating domain users as administrators
Brian Burke x0839
brianb at atc.ll.mit.edu
Mon Mar 16 18:11:24 GMT 1998
> >
> > How do I get domain accounts to appear as administrators on the local
machines?
> > Is this even an option? If this is not a current option are there plans to
> > make it so in the future? What I would like to have is a group to which
> > certain users could belong if we want them to have administrator privileges
on
> > the local machine.
> >
> > We are running samba-pdc on a Sun running Solaris 2.5 serving NT 4.0
workstations.
> >
>
> see 'domain admins' parameter in smb.conf man page
>
Just thought I'd share some of my experiences on this issue...
Using the domain admins works, it allows you to have administrator
privileges on any of the domain workstations... but...
the behavior with regards to profiles is kinda strange (I'm assuming
that you are using roaming profiles)
When logging into the netork with roaming profiles, the users profile
is copied from the Samba server to the local machine, then used from
the local machine until logoff... if changes were made it gets copied
back to the Samba server. There are keys in the registry that
specify where the local copy is and where the network copy is. Each
user should have their own keys for these values.
The keys are stored in HKLM/Software/Microsoft/Windows NT/CurrentVersion/
ProfileList
Each key there represents either a local user or a domain user. For
the domain users the key is S-1-5-21-XXX-XXX-XXX-YYYYY where the
X's represent the Domain SID and the Y's represent the user's RID
(a mapping of their UserID) A problem arrises when you specify
domain users. Each of these users gets asigned a RID of 500 which
represents the Administrator account. So the key values of where to
store the local copy of the profile gets set to the appropriate
value for the first admin user who logs on, (lets say user1). Now
when the second admin user logs on (user2) they get the right
profile from Samba, but it gets copied locally to .../WinNT/Profiles/user1
The net effect is that everything seems to be working correctly, but
to local copies of profiles are handled properly increasing login times
and cause other undesireable (for me at least) behavior. My solution?
Maintain administrator accounts on each machine seperately. I could
set up one administrator account on the domain, but just haven't done
that yet.
Hope this gives you some useful info.
-Brian
Brian Burke
MIT Lincoln Laboratory
Air Traffic Surveillance
More information about the samba-ntdom
mailing list