[Samba] Power Users - Is it possible?

George Farris farrisg at mala.bc.ca
Fri Jul 25 15:15:21 GMT 2003 

My solution was to create a "Domain Power Users" group with net group
map and assign an domain sid to it.  I just incremented the highest sid
in the group list, for example:

net group map shows:
System Operators (S-1-5-32-549) -> -1
Domain Guests (S-1-5-21-1135672234-1853056381-2991119365-514) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Domain Users (S-1-5-21-1135672234-1853056381-2991119365-513) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> users
Domain Admins (S-1-5-21-1135672234-1853056381-2991119365-512) -> dadmin

Since S-1-5-21-1135672234-1853056381-2991119365-514 is the last number
displayed I could use: S-1-5-21-1135672234-1853056381-2991119365-515

so 

"net groupmap add sid=S-1-5-21-1135672234-1853056381-2991119365-515
ntgroup="Domain Power Users" unixgroup=pwruser"

will create the group.  I then went to the workstation and added "Domain
Power Users" to the local "Power Users" group.  Now anyone being a
member of pwruser is automatically a Power User on the workstation.


Thanks for all your help samba list, I appreciate it.  This is what
makes open source so valuable.

On Fri, 2003-07-25 at 03:32, Felipe Alfaro Solana wrote:
> On Fri, 2003-07-25 at 12:17, Beast wrote:
> > Friday, July 25, 2003, 5:09:31 PM, Felipe wrote:
> > 
> > > On Fri, 2003-07-25 at 11:54, Beast wrote:
> > >> > If Samba is acting as a domain controller (PDC), then it will only
> > >> > mantain global groups. Local groups are only available on workstations
> > >> > and member servers.
> > >> 
> > >> This is incorrect.
> > >> This is my smb.conf (Its PDC) :
> > 
> > > Well, local groups do exist in domain controllers, but they are shared
> > Yes :=)
> > 
> > > between domain controllers exclusively. That is, a domain workstation
> > > does have its own "Power Users" local group, which is totally different
> > > from the "Power Users" local group of the domain controllers.
> > 
> > That's why it called "Local" :=)
> 
> I just wanted to clarify on this as I think there are people out there
> that are adding users to the "Power Users" group of the domain hoping
> that they will automatically become members of the "Power Users" local
> group of their Windows workstations, and this won't work.
-- 
George Farris  farrisg at mala.bc.ca
Computer Support Cowichan.

More information about the samba mailing list