Re: [Samba] Simple group question...‏

[Charles Marcus]

On 7/10/2009, Regis Niggemann (reg...@techheads.com) wrote:
> Of course the problem with this method is you are granting that group admin
> rights to all those computers.  If a single account in that group with those
> rights becomes infected with some malware, it is possible for that malware
> to infect ALL the computers.
> 
> Just saying...

Not a problem if you ALSO restrict each user to only be able to log onto
their computer... this way, even though they are in that group, they can
only log onto theirs...

-- 

Best regards,

Charles
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: Re: [Samba] Simple group question...‏

[Olivier Nicole]

Hi,

> After join computer to domain  then log on to Windows Xp with local
> administrator account and go to control panel -> addusers (select
> account from your domain) -> Grant access level to your domain account
> as "Administrator".

I missed the begining of the discussion, but I am using the following
in the login.bat:

net localgroup administrators samba\user /add

Of course there is a problem of bootstrap as this command needs
administrator privileges on the local to run.

That I solved using vbrunas.vbe.

Bests,

olivier

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple group question...‏

[Norberto Bensa]

2009/7/10 Regis Niggemann :
> IF (and it's a big IF) a user HAS to have admin rights on the local machine,
> then grant that user those rights only on their primary machine.  I
> acknowledge that it can be a pain to administer if you have a lot of users
> that use different machines.  But in most circumstances, a single user uses
> a single machine and it's manageable.

If you're talking about one user on one specific machine, then yes,
give him rights on their box.

I don't know why but I thought that we were talking about a group of
people. IT staff for example usually needs admin right in every
computer in an organization.

Regards,
Norberto
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple group question...‏

[Regis Niggemann]

IF (and it's a big IF) a user HAS to have admin rights on the local machine,
then grant that user those rights only on their primary machine.  I
acknowledge that it can be a pain to administer if you have a lot of users
that use different machines.  But in most circumstances, a single user uses
a single machine and it's manageable.


On 7/9/09 11:06 PM, "Norberto Bensa"  wrote:

> 2009/7/10 Regis Niggemann :
>> Of course the problem with this method is you are granting that group admin
>> rights to all those computers.  If a single account in that group with those
>> rights becomes infected with some malware, it is possible for that malware
>> to infect ALL the computers.
>> 
> 
> Do you know a better way?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple group question...‏

[Norberto Bensa]

2009/7/10 Regis Niggemann :
> Of course the problem with this method is you are granting that group admin
> rights to all those computers.  If a single account in that group with those
> rights becomes infected with some malware, it is possible for that malware
> to infect ALL the computers.
>

Do you know a better way?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple group question...‏

[Regis Niggemann]

Of course the problem with this method is you are granting that group admin
rights to all those computers.  If a single account in that group with those
rights becomes infected with some malware, it is possible for that malware
to infect ALL the computers.

Just saying...

 
> If you have 500 computers to admin, how do you remove Tom's admin rights?
> 
> The best way is:
> 
> - Create a new domain group.
> - Add users to new domain group.
> - Add this new domain group to the local administrators group on each machine.
> 
> Now, every user in "new domain group" will have admin rights in the computers.
> 
> If for some reason you think John Doe does not need admin rights
> anymore, you just remove him from the "new domain group"

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple group question...‏

[Norberto Bensa]

On Fri, Jul 10, 2009 at 2:18 AM, supha...@gmx.com wrote:
> Hi,
> This works for me ,you can try.
>
> After join computer to domain  then log on to Windows Xp with local
> administrator account and go to control panel -> addusers (select
> account from your domain) -> Grant access level to your domain account
> as "Administrator".
>

That's the admin nightmare :-)

If you have 500 computers to admin, how do you remove Tom's admin rights?

The best way is:

- Create a new domain group.
- Add users to new domain group.
- Add this new domain group to the local administrators group on each machine.

Now, every user in "new domain group" will have admin rights in the computers.

If for some reason you think John Doe does not need admin rights
anymore, you just remove him from the "new domain group"
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple group question...‏

[supha...@gmx.com]

Hi,
This works for me ,you can try.

After join computer to domain  then log on to Windows Xp with local
administrator account and go to control panel -> addusers (select
account from your domain) -> Grant access level to your domain account
as "Administrator".

Or you can use "net" command to do this.

Open a cmd shell, then execute:

C:\> net localgroup administrators /add MYDOMAIN\tom

Regards,
Tom

samba-bounces+hypermonk=hotmail@lists.samba.org on behalf of steve
wrote:
> New to this windows domain stuff, sorry ( at my age learning new stuff
> can take a while ). 
>  
> I've set up a domain and joined a couple of XP workstations to is and
> all is fine. What I want to do now is to ensure that the users of these   
>  
> PCs still have administrative rights on their PC's. 
>  
> Can anyone show me the basics / point me to a good guide on how to do
> this???
>  
> TIA,
>  
> Steve
>  
> -- 
> Steve Holdoway 
> http://www.greengecko.co.nz 
> MSN: st...@greengecko.co.nz
> GPG Fingerprint = B337 828D 03E1 4F11 CB90  853C C8AB AF04 EF68 52E0
>   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Simple group question...

[Jonathon Doran]

Quoting steve :


New to this windows domain stuff, sorry ( at my age learning new stuff
can take a while ).

I've set up a domain and joined a couple of XP workstations to is and
all is fine. What I want to do now is to ensure that the users of these
PCs still have administrative rights on their PC's.

Can anyone show me the basics / point me to a good guide on how to do
this???


What I did was to create a new group "Desktop Administrators", and add  
that group to the local administrator group on each of my machines.  I  
keep a master image for a lab machine and update it periodically, then  
copy it to the other machines.  So an update to the local settings  
doesn't require running around to all machines.


Since we use LDAP to manage user/groups, adding/removing people from  
this new group is trivial.


I'm pretty new to all of this, so I'll be interested in hearing of any  
better solutions.  But this one seems to work well.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba