[Samba] Power Users - Is it possible?

Thu Jul 24 22:28:56 GMT 2003

On Thu, 2003-07-24 at 22:06, George Farris wrote:

> Well interestingly enough it only works if I make pwruser (which is
> mapped to "Domain Users") be the primary group of the user.  This is
> confusing because with the user I have set up for a Domain Admin
> (unixgroup dadmin) dadmin is not it's primary group.
> 
> Any thoughts?

I can't follow you. Let's go part by part:

1. The concept of primary group is similar to Unix. There is nothing
particular with a primary group, except that it's mandatory. A user
*must* belong to at least one group. And, a user can belong to more than
one group. Thus, I don't understand you when you say "dadmin is not it's
primary group."

2. "Domain Users" is a global group belonging to a particular domain and
thus, any computer belonging to that domain, can reference it. There can
only exist one instance of the "Domain Administrators" global group for
every domain. Normally, you add all users from that domain to this
group, so you can reference all of them at once, for example, to allow
or deny access to a particular resource, machine, program, etc.

3. "Power Users" is a local group, not a global one. That is, it does
not belong to any domain, but belongs to a machine. It's said that the
"Power Users" group is not stored in a domain controller, but on the SAM
of a Windows machine (for example, a Windows XP computer). By saying
that it's a local group, I mean there exists one instance of this group
on every Windows computer, but no instances of it on any domain
controller. So, you should never ever create "Power Users" as a global
group on your Windows/Samba domain controller.

EXAMPLE:

Let's say you have 3 user accounts on the domain "DOM":

"DOM\A", "DOM\B" and "DOM\C".

If we want to make those users members of the "Power Users" group on the
Windows machine called MACHINE1, we usually do the following:

1. Add "DOM\A", "DOM\B" and "DOM\C" to the "Domain Users" global group
of the "DOM" domain (that is, we add them to "DOM\Domain Users").
2. Next, we log on to the MACHINE1 as an Administrator and then we add
the global group "DOM\Domain Users" to the local "Power Users" group.
3. The net effect is that since "DOM\A" is member of "DOM\Domain Users",
and "DOM\Domain Users" is also a member of the group "Power Users",
transitively, "DOM\A" becomes a member of the MACHINE1's "Power Users"
local group. Since by default on any Windows machine, every member of
the "Power Users" group has additional privileges over standard users
(like changing the system clock and shutting down the computer), the
user "DOM\A" will have those additional privileges.

We could have added "DOM\A", "DOM\B" and "DOM\C" directly to MACHINE1's
"Power Users", but what would happen if sometime in the future, a fourth
user "DOM\D" needs those elevated privileges. It's simpler to add
"DOM\D" to the "DOM\Domain Users" and then, by the transitive effect
described above, "DOM\D" will automatically be considered a member of
the local "Power Users" group for MACHINE1.

Since "Power Users" is local to all machines, you'll have to repeat this
operation on every Windows machine in which you want this mapping.

I hope this is clearer now.