Domain Administration Rights

Don Brearley donbrearley at
Mon Aug 2 20:26:44 GMT 2004

Hello All,

I currently am running a Samba 3.0.5 based PDC on FreeBSD 5.2.1

I have all my users seperated into "department" groups.. (eg: hr, it, etc)

In samba 2.x.x I was able to specify multiple groups
in the "Domain Admin" global configuration setting.
eg: (domain admin group = @hr, @it, @services)

However, in Samba 3.x.x I have to use the "net groupmap" command
to modify the NT group "Domain Admins" to point to a unix group.

My problem is, I used to have each department group running with Domain
Admin privileges, and now I can only specify one group, and it is causing
a few problems with my users.  I need to be able to specify multiple
groups as "Domain Admins"

Can anyone provide any insight into how I may fix this problem? FreeBSD
does not allow for "groups of groups" so that is not an option.

I know I can go to each machine and modify local security settings on 
each PC to belong to a new "Domain Admins" group, but there are nearly 1000
machines on my network :)

Thanks for any help!

- Don Brearley
  HCC Computer Services

More information about the samba-technical mailing list