[Samba] dns-DCx accounts in CN=Users

Kees van Vloten keesvanvloten at gmail.com
Mon Jan 24 15:54:53 UTC 2022

On 24-01-2022 16:24, mj via samba wrote:
> Hi,
> We are wondering: is it safe to move the accounts dns-DC1 / dns-DC2 / 
> dns-DC3 that exist in our samba CN=Users,DC=samdom to a different CN, 
> for example to: CN=sys_accounts,DC=samdom
> Reason: The contents of CN=Users is displayed in various LDAP 
> addressbooks and also autocompleted in various other places in our 
> network. It looks strange for our users to see these technical 
> accounts listed and autocompleted.
> Of course we'd rather not break anything. :-)
> MJ
You can.

I have split up my users like this:

OU=Admin Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
OU=Inactive Users,OU=Noninteractive Users,DC=samdom
OU=Script Accounts,OU=Noninteractive Users,DC=samdom
OU=Service Accounts,OU=Noninteractive Users,DC=samdom

The search-root for LDAP addressbooks etc. is OU=Groupware in my situation.
Indeed I started similar to you and used the move option in samba-tool 
to moved the users around.
Now, all default AD users, service-accounts (e.g. for apache), 
script-users and also inactive-users (who left the organization but 
still own files etc. somewhere) are invisible in LDAP addressbooks.

- Kees

More information about the samba mailing list