[Samba] dns-DCx accounts in CN=Users
Kees van Vloten
keesvanvloten at gmail.com
Mon Jan 24 15:54:53 UTC 2022
On 24-01-2022 16:24, mj via samba wrote:
> We are wondering: is it safe to move the accounts dns-DC1 / dns-DC2 /
> dns-DC3 that exist in our samba CN=Users,DC=samdom to a different CN,
> for example to: CN=sys_accounts,DC=samdom
> Reason: The contents of CN=Users is displayed in various LDAP
> addressbooks and also autocompleted in various other places in our
> network. It looks strange for our users to see these technical
> accounts listed and autocompleted.
> Of course we'd rather not break anything. :-)
I have split up my users like this:
OU=Admin Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
OU=Inactive Users,OU=Noninteractive Users,DC=samdom
OU=Script Accounts,OU=Noninteractive Users,DC=samdom
OU=Service Accounts,OU=Noninteractive Users,DC=samdom
The search-root for LDAP addressbooks etc. is OU=Groupware in my situation.
Indeed I started similar to you and used the move option in samba-tool
to moved the users around.
Now, all default AD users, service-accounts (e.g. for apache),
script-users and also inactive-users (who left the organization but
still own files etc. somewhere) are invisible in LDAP addressbooks.
More information about the samba