-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
| After reading a lot in the mailing list and the official Samba 3 howto, | i am still unable to give domain admin rights to a user, so that he gets | admin rights on all workstations in the domain. | | Here is what i have:
1. If you are using ldap, you should know that the posixgroup objectClass is out of date and that you will need a different objectClass to provide Administrative access to the LDAP database itself. Specifically, groupOfNames.
2. I think you may be approaching this wrong. I have to assume that you are using something that actually has such a group so perhaps that means XP. On XP Pro:
Right click on the Start button and select "Properties". Select the Customize button. Select the Advanced tab. Navigate to the Control Panel item. Select the "Display as menu" radio button.
After having made these changes, you will then find that you can Navigate to the Control panel using the start menu and right-click on the Control Panel menu items. This also means that you can use the "runas" context menu item to run them as an Administrator. I don't know if this works on NT/2K but you might consider looking for something similar. The advantage of this technique is that your user remains just a user. You get what you need when you need it but not what you don't making your system much more secure. The function of runas is similar in nature to something like kdesu. It is very handy indeed once you get used to it.
3. I remember researching ways to upgrade my user to Administrative group membership using a command line technique. Since I know this can be done, I also know that it can be incorporated into a simple command line login script. What such a script should do is:
A. Check to see if the current user is a member of the local "Administrators" group. B. If no, use the runas facility and add them otherwise exit.
For efficiency, you might consider using groups instead. Samba does not support groups as members of groups but your local machine probably will. Thus you could write you script so that it adds the remote group "Domain Users" to the local group "Administrators".
It is just my opinion but I would use the techniques mentioned in #2 coupled with #3 but only in regards to the Power Users group, just to make life easier.
Jim C. - -- - ----------------------------------------------------------------- | I can be reached on the following Instant Messenger services: | |---------------------------------------------------------------| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---------------------------------------------------------------| | Y!: j_c_llings Jabber: jcllings @ njs.netlab.cz | - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBujJi57L0B7uXm9oRAiq/AJ91SjG1FFK2TeJWV+mrDDwdCDGwoACeOqze yf6oCz/5EygbOxjw2+kQLPU= =t0Gn -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba