[Samba] How to allow users to be local admin

Götz Reinicke - IT Koordinator goetz.reinicke at filmakademie.de
Thu Sep 5 01:21:29 MDT 2013

Am 04.09.13 17:00, schrieb Gregory Sloop:
> GRIK> Am 02.09.13 18:20, schrieb Marc Muehlfeld:
>>> Hello Götz,
>>> Am 02.09.2013 14:43, schrieb Götz Reinicke - IT Koordinator:
>>>> it's some time that I had to touch our samba installation and may be
>>>> somewon can point me to the right direction.
>>>> We run a samba-3.6.9 PDC with ldap backend and windows 7 clients.
>>>> Everything for normal users is working fine (domain logon, roaming
>>>> profiles).
>>>> But now we'd like to enable our systemadministartors to login to any
>>>> workstation with there domain user and install software or do other
>>>> administrative things.
>>>> I'v read a bit about domian accounts and mappings. But I'm not sure
>>>> where to add or change what.
>>>> The admins affected are also in a special posix group.
>>>> There are also "Domain Admins" and "Administrators" posix groups and net
>>>> groupmap entries.
>>>> Would be great if some one can help me.
>>> I'm not sure if this is possible with an NT4-style domain. With (Samba)
>>> AD it is, if you plan to migrate. Then you can use "restricted groups"
>>> for that
>>> (http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain).
>>> I don't know how many clients you have. If it's a manageable size, you
>>> can create a group in your domain, go to each workstation and add this
>>> domain group to the local administrators group once. Then everyone who
>>> is member of that domain group is automatically local admin on each of
>>> that machines (this is what you do with the "restricted group" in AD in
>>> 2 mins, without leaving your desk). You only have to add this domain
>>> group on every PC you reinstall.
>>> But if it's a possibility, migrate to Samba AD. AD brings you many great
>>> features, expecially GPO, multi master replication, etc.
> GRIK> Hi Marc, currently we dont plan a change to Samba AD, and editing every
> GRIK> client to support local grous sounds currently a bit to mutch. (we have
> GRIK> about 200 windows clients and one admin :) )
> GRIK> Is ther not any other chance or way? The admins are very reliabel, so
> GRIK> they also might have more rights as the "normal" local admin.
> GRIK> I was thinking of may be putting tham in the group "Domain Admins" which
> GRIK> is also used to add workstations to the domain.
> GRIK> Or is that something different regarding rights?
> GRIK> Thanks for your feedback. /Götz
> Yes, making those users members of the "Domain Admins" group will
> "fix" it - but it also has the *usually* undesired side-effect of also
> making those people *DOMAIN ADMINS!*!!
> Making a domain group members of the local Admins group on each
> machine also works without the side-effect of giving them domain root
> equivalent accounts.
> The first can be done from a single action on the DC - but the second
> generally requires action at each station. [Without and AD controller
> that is.]
> So, roll the dice. Do you really trust that these folks you want to
> have local admin privs won't whack the domain intentionally or
> unintentionally? If you feel good enough about that - then perhaps
> it's right for you.

Hi Greg,

thanks for pointing that out, I'll get some dices and check with the
head of departement (currently only three people are considered to be
domain admins including me)

	Regards . Götz

Götz Reinicke

Tel. +49 7141 969 82 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg

Eintragung Amtsgericht Stuttgart HRB 205016

Vorsitzender des Aufsichtsrats: Jürgen Walter MdL
Staatssekretär im Ministerium für Wissenschaft,
Forschung und Kunst Baden-Württemberg

Geschäftsführer: Prof. Thomas Schadt

More information about the samba mailing list