[Samba] Domain Admins

Bradley W. Langhorst brad at langhorst.com
Tue Oct 8 14:10:02 GMT 2002

On Tue, 2002-10-08 at 09:30, Irving Carrion wrote:
> Bradley W. Lanhorst wrote,
>     > 
>     > how are you assessing whether this is working or not?
>     > i consider the mapping to work if i can specify 
>     > one of my domain groups as a part of a local group and 
>     > the rsop tool says that a member of that group has the appropriate
>     > permissions..
>     >	everything you've shown looks good to me - how do you know if it
> is 
>     >	working or not?
> Brad
> Brad, when I was running an NT network or Samba Version 2.2.3a it worked
> fine.  That is to say all domain admins where able to log in as admin to
> all pc's who where members of the domain.  Now, I can go to each PC and
> specify that user1 be local admin, but something tells me there is
> another way.
> For example, if lets say I install a new pc with Win2k pro and then join
> it to the domain.  Now I log in as a domain admin.  When I perform a
> Windows Update, it says that only administrators can update the pc.  So,
> why is it that this PC does not know I am a domain admin.
I think you should take a look in the user manager for domains and 
add your new Domain Admins group to the Local Admins group...
IIRC Domain Admins have, by default, permissions to modify domain
settings like group membership etc but not local administrative rights
like running windows update.
I could be wrong about this though.

> Sorry but what is rsop tool?

rsop stands for resultant set of policy. It's a microsoft tool to tell
you what the effective permission an object has relative to a particular
user or group.
I don't have NT or 2k (just XP) so I don't know if it is available for

More information about the samba mailing list