[Samba] Power Users - Is it possible?

George Farris farrisg at mala.bc.ca
Thu Jul 24 22:35:13 GMT 2003

Thanks for that.  It's nice to have this explained well.  I have a
couple of books on w2k but mostly it talks AD and is not applicable.  I
have it working now.  On to group policies which from what I can tell
must remain as NT style to have any form of centralized network
policies.  I don't have any Active Directory at all here, strictly Samba

On Thu, 2003-07-24 at 15:28, Felipe Alfaro Solana wrote:
> On Thu, 2003-07-24 at 22:06, George Farris wrote:
> > Well interestingly enough it only works if I make pwruser (which is
> > mapped to "Domain Users") be the primary group of the user.  This is
> > confusing because with the user I have set up for a Domain Admin
> > (unixgroup dadmin) dadmin is not it's primary group.
> > 
> > Any thoughts?
> I can't follow you. Let's go part by part:
> 1. The concept of primary group is similar to Unix. There is nothing
> particular with a primary group, except that it's mandatory. A user
> *must* belong to at least one group. And, a user can belong to more than
> one group. Thus, I don't understand you when you say "dadmin is not it's
> primary group."
> 2. "Domain Users" is a global group belonging to a particular domain and
> thus, any computer belonging to that domain, can reference it. There can
> only exist one instance of the "Domain Administrators" global group for
> every domain. Normally, you add all users from that domain to this
> group, so you can reference all of them at once, for example, to allow
> or deny access to a particular resource, machine, program, etc.
> 3. "Power Users" is a local group, not a global one. That is, it does
> not belong to any domain, but belongs to a machine. It's said that the
> "Power Users" group is not stored in a domain controller, but on the SAM
> of a Windows machine (for example, a Windows XP computer). By saying
> that it's a local group, I mean there exists one instance of this group
> on every Windows computer, but no instances of it on any domain
> controller. So, you should never ever create "Power Users" as a global
> group on your Windows/Samba domain controller.
> Let's say you have 3 user accounts on the domain "DOM":
> "DOM\A", "DOM\B" and "DOM\C".
> If we want to make those users members of the "Power Users" group on the
> Windows machine called MACHINE1, we usually do the following:
> 1. Add "DOM\A", "DOM\B" and "DOM\C" to the "Domain Users" global group
> of the "DOM" domain (that is, we add them to "DOM\Domain Users").
> 2. Next, we log on to the MACHINE1 as an Administrator and then we add
> the global group "DOM\Domain Users" to the local "Power Users" group.
> 3. The net effect is that since "DOM\A" is member of "DOM\Domain Users",
> and "DOM\Domain Users" is also a member of the group "Power Users",
> transitively, "DOM\A" becomes a member of the MACHINE1's "Power Users"
> local group. Since by default on any Windows machine, every member of
> the "Power Users" group has additional privileges over standard users
> (like changing the system clock and shutting down the computer), the
> user "DOM\A" will have those additional privileges.
> We could have added "DOM\A", "DOM\B" and "DOM\C" directly to MACHINE1's
> "Power Users", but what would happen if sometime in the future, a fourth
> user "DOM\D" needs those elevated privileges. It's simpler to add
> "DOM\D" to the "DOM\Domain Users" and then, by the transitive effect
> described above, "DOM\D" will automatically be considered a member of
> the local "Power Users" group for MACHINE1.
> Since "Power Users" is local to all machines, you'll have to repeat this
> operation on every Windows machine in which you want this mapping.
> I hope this is clearer now.
George Farris  farrisg at mala.bc.ca
Computer Support Cowichan.

More information about the samba mailing list