[Samba] Root Access forWindows Domain Admins

Miguel Medalha miguelmedalha at sapo.pt
Sat Dec 11 16:21:35 MST 2010

> To put it simple id like to give our Domain Admins the same access to 
> Samba shares that the root user has and havent had much luck doing 
> this. Whenever I look this up I find that people are doing this 
> different ways but none seem to work. The only other thing that ive 
> seen people doing is adding a domain user to the sudoers list but that 
> means the domain user has to be logged into the linux server and then 
> elevate their privileges.

You may in fact be talking about different things, but the main ones I 
can remember now are:

Admin rights at share level (can also be used as a global parameter)

In smb.conf:

admin users = "@[yourdoamin]\Domain Admins"

If you are talking about privileges:

net rpc rights list
net rpc rights grant

The possible privileges are:

SeMachineAccountPrivilege    Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege  Back up files and directories
SeRestorePrivilege  Restore files and directories
SeRemoteShutdownPrivilege  Force shutdown from a remote system
SePrintOperatorPrivilege  Manage printers
SeAddUsersPrivilege  Add users and groups to the domain
SeDiskOperatorPrivilege  Manage disk shares
SeSecurityPrivilege  Manage auditing and security log

For example:

net rpc rights grant "Domain Admins" SeMachineAccountPrivilege

More information about the samba mailing list