hmmm giving users local admin rights, thats not the way to do it. and makes your network insecure.. Better control this through de domain groups.
this is how i do it. i create a domain groep, add the users in it, and through loginscript i create a local group and add the domain group in it. now on directories/files or in registry i give the local group the needed rights. Louis >-----Oorspronkelijk bericht----- >Van: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Namens >Gustavo Michels >Verzonden: donderdag 9 oktober 2008 22:27 >Aan: samba@lists.samba.org >Onderwerp: [Samba] Samba PDC + LDAP: adding user to local admin group > >Hi all, > >I'm evaluating Zimbra [1] as the groupware server for my small >company. It >uses OpenLDAP for authentication services and I'm configuring >a Samba server >as a PDC for my company, using the same ldap backend. > >So far, so good, everything is working beautifully well, I can >add computers >to the domain, login from any workstation, access shares with the >appropriate rights and so on. However there's one last thing I >need: some >normal domain users need administrative rights on their local machines. > >I know I can go into each workstation and add the user to local >administrators group, however that's not the right way to do >it. Can I have >it set on the domain level, so that if the user login on any >workstation, he >will be granted the correct local admin rights on that workstation? > >Here's what I tried, user 'producao' (id=10003) and group >'Local Admins' >(id=10005): > ># net groupmap list >Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) -> Vendas >Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) -> Admins >Produção (S-1-5-21-594618841-1354246140-1601124177-21006) -> Producao >Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) -> >Financeiro >Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) -> >Local Admins > >Here you can see that 'Local Admins' has the correct RID (544). > ># getent group |grep Admin >Admins:*:10002: >Local Admins:*:10005:10003 > ># getent passwd |grep producao >producao:*:10003:10003:Produção >Colortech:/colortech/homes/producao:/bin/false > >User 'producao' is a member of 'Local Admins' group >(secondary, since I read >that BUILTIN groups cannot be a primary group for a user in a >windows NT4 >domain). > ># /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech >"cn=Local >Admins" ># extended LDIF ># ># LDAPv3 ># base <> with scope subtree ># filter: cn=Local Admins ># requesting: ALL ># > ># Local Admins, groups, colortechdp.com.br >dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br >gidNumber: 10005 >displayName: Local Admins >sambaGroupType: 5 >description: Local Admins >cn: Local Admins >sambaSID: S-1-5-21-594618841-1354246140-1601124177-544 >memberUid: 10003 >objectClass: posixGroup >objectClass: sambaGroupMapping > >And the information on the LDAP server seems to be correct, >including the >sambaGroupType property set to 5, instead of 2. > >So, what is wrong in here? Or it isn't possible to do it in the domain >level? > >Thanks >Gustavo > >[1] http://www.zimbra.com > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba