[Samba] Re: Cannot get DOMAIN ADMINS to work

Fri Dec 10 23:33:54 GMT 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| After reading a lot in the mailing list and the official Samba 3 howto,
| i am still unable to give domain admin rights to a user, so that he gets
| admin rights on all workstations in the domain.
|
| Here is what i have:

1. If you are using ldap, you should know that the posixgroup
objectClass is out of date and that you will need a different
objectClass to provide Administrative access to the LDAP database
itself. Specifically, groupOfNames.

2. I think you may be approaching this wrong.  I have to assume that you
are using something that actually has such a group so perhaps that means
XP.  On XP Pro:

Right click on the Start button and select "Properties".
Select the Customize button.
Select the Advanced tab.
Navigate to the Control Panel item.
Select the "Display as menu" radio button.

After having made these changes, you will then find that you can
Navigate to the Control panel using the start menu and right-click on
the Control Panel menu items.  This also means that you can use the
"runas" context menu item to run them as an Administrator. I don't know
if this works on NT/2K but you might consider looking for something
similar.  The advantage of this technique is that your user remains just
a user.  You get what you need when you need it but not what you don't
making your system much more secure. The function of runas is similar in
nature to something like kdesu. It is very handy indeed once you get
used to it.

3. I remember researching ways to upgrade my user to Administrative
group membership using a command line technique. Since I know this can
be done, I also know that it can be incorporated into a simple command
line login script.  What such a script should do is:

A. Check to see if the current user is a member of the local
"Administrators" group.
B. If no, use the runas facility and add them otherwise exit.

For efficiency, you might consider using groups instead.  Samba does not
support groups as members of groups but your local machine probably
will.  Thus you could write you script so that it adds the remote group
"Domain Users" to the local group "Administrators".

It is just my opinion but I would use the techniques mentioned in #2
coupled with #3 but only in regards to the Power Users group, just to
make life easier.

Jim C.
- --
- -----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
|---------------------------------------------------------------|
| Y!: j_c_llings            Jabber: jcllings @ njs.netlab.cz	|
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBujJi57L0B7uXm9oRAiq/AJ91SjG1FFK2TeJWV+mrDDwdCDGwoACeOqze
yf6oCz/5EygbOxjw2+kQLPU=
=t0Gn
-----END PGP SIGNATURE-----