Bostjan Müller írta:
By design Windows workstations treat users belonging to the Domain Admins group as Adminstrators (the Domain Admins group become member of the local Administrators group when the workstation joins the domain).Hi everyone,
I am trying to create a couple users (not root) who would be in Domain Admins group, and would have the permissions to add machine to domain.
I can confirm that locally (I used sudo without password) as any of the users of ntadm group, and each and everyone of them can add a user to the passwd file. They are also local admins on NT/200X/XP machines when they log in on windows side, but neither of them can add a machine to domain via the windows GUI. The only user that can do that is the user root.
I have googled a lot, and all I could find was the user has to be Domain Admin, and he has to have the unix rights to add the machine account.
Can someone please explain to me what else has to be done for this to work?
THX in advance,
Bostjan
As Samba needs a posix account for each samba account (even for workstations), and on *nix only root (uid=0) can create users (accounts), you need a way to tell samba to threat some users as root. This is the reason of existance for the admin users smb.conf parameter. Specify admin users = @domainjoiners in the global section, and members of the domainjoiners group will be able to create accounts, and do all the nasty things allowed only to root (add/remove/modify shares/users) (if you configure them in smb.conf). You can limit their access to files/folders, by specifying admin users = root on the share definitions.
Good Luck!
Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
