designating domain users as administrators

Brian Burke x0839 brianb at atc.ll.mit.edu
Mon Mar 16 18:11:24 GMT 1998 

> > 
> > How do I get domain accounts to appear as administrators on the local 
machines?
> > Is this even an option?  If this is not a current option are there plans to
> > make it so in the future?  What I would like to have is a group to which
> > certain users could belong if we want them to have administrator privileges 
on
> > the local machine.
> > 
> > We are running samba-pdc on a Sun running Solaris 2.5 serving NT 4.0 
workstations.
> > 
> 
> see 'domain admins' parameter in smb.conf man page
> 

Just thought I'd share some of my experiences on this issue...
Using the domain admins works, it allows you to have administrator
privileges on any of the domain workstations... but...
the behavior with regards to profiles is kinda strange (I'm assuming
that you are using roaming profiles)

When logging into the netork with roaming profiles, the users profile
is copied from the Samba server to the local machine, then used from
the local machine until logoff... if changes were made it gets copied
back to the Samba server.  There are keys in the registry that 
specify where the local copy is and where the network copy is.  Each
user should have their own keys for these values.   
The keys are stored in HKLM/Software/Microsoft/Windows NT/CurrentVersion/
ProfileList
Each key there represents either a local user or a domain user.  For
the domain users the key is S-1-5-21-XXX-XXX-XXX-YYYYY  where the
X's represent the Domain SID and the Y's represent the user's RID
(a mapping of their UserID)  A problem arrises when you specify
domain users.  Each of these users gets asigned a RID of 500 which 
represents the Administrator account.  So the key values of where to 
store the local copy of the profile gets set to the appropriate
value for the first admin user who logs on, (lets say user1).  Now 
when the second admin user logs on (user2)  they get the right 
profile from Samba, but it gets copied locally to .../WinNT/Profiles/user1

The net effect is that everything seems to be working correctly, but 
to local copies of profiles are handled properly increasing login times
and cause other undesireable (for me at least) behavior.  My solution?
Maintain administrator accounts on each machine seperately.  I could
set up one administrator account on the domain, but just haven't done 
that yet.

Hope this gives you some useful info.
-Brian


Brian Burke
MIT Lincoln Laboratory
Air Traffic Surveillance

More information about the samba-ntdom mailing list