[Samba] role delegation
Rowland Penny
rpenny at samba.org
Sat Oct 30 12:31:14 UTC 2021
On Sat, 2021-10-30 at 07:01 -0500, Patrick Goetz via samba wrote:
>
> On 10/29/21 16:55, Rowland Penny via samba wrote:
> > On Fri, 2021-10-29 at 16:34 -0500, Patrick Goetz via samba wrote:
> > > I would like to have a user with limited domain admin
> > > capabilities;
> > > namely the ability to add new users and add users to groups, with
> > > the
> > > ideal being to also able to help users reset their password and
> > > create/delete groups. But this user would not be able to create
> > > OU's,
> > > edit Group Policy, or do anything else other than work with users
> > > and
> > > groups. Is such a thing even possible?
> >
> > Are we talking about doing this on Linux ? if so you could create a
> > group and then give this group the privileges required. Run (as
> > root):
> > net rpc rights list privileges -Uadministrator
> >
> > For a complete list of the available privileges.
> >
>
> No, I was hoping to endow the digital archivist, who is onsite and
> deals
> with minor desktop issues, with the ability to use the RSAT Users
> and
> Computers tool to add users, but this isn't terribly critical.
>
> For the sake of understanding, `net rpc rights list privileges
> -Uadministrator` lists the user's privileges,
It actually lists the available privileges.
> but am I able to afford
> these privileges individually to other domain users; e.g. could I
> give a
> user the SeAddUsersPrivilege privilege?
>
Try reading this:
https://www.danielengberg.com/domain-join-permissions-delegate-active-directory/
Rowland
More information about the samba
mailing list