Domain Admins not Local ADmins

dlublink · 03-01-2005, 09:58 AM

Hi!

I have succesfully setup a Samba server as a Domain Controller. I have about 7 users. Wow!

I have three Windows XP machines that logon to the domain. Now with Windows XP there is this thing called group policy editor, how to I make policies and apply to them to everyone on the network?

Secondly, I have a user called "admin" which is really root in linux. This user has domain admin priviliges (it can create/edit/delete users using NT User Manager). But what I want in addition is for this user to have local admin privileges, so I can modify the file system, hardware etc....

Thanks,

David

I tried to map it to a group:
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
net groupmap modify ntgroup="Administrators" unixgroup=ntadmins

dlublink · 03-01-2005, 10:51 AM

Some more information:

Windows XP reports that in properties of the Administrators group:

Members:
david (renamed administrator account)

Lublink\Domain Admins (S-1-5-21-4128833642-285588081-677358102-512)

Some output from Linux Commands (note that superman is renamed root account)
web:~ # net groupmap list

System Operators (S-1-5-32-549) -> -1
Domain Guests (S-1-5-21-4128833642-285588081-677358102-514) -> nobody
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> ntadmins
Domain Admins (S-1-5-21-4128833642-285588081-677358102-512) -> ntadmins
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-4128833642-285588081-677358102-513) -> users
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

web:~ # net rpc group MEMBERS "Domain Admins"
Password:
LUBLINK\regis
LUBLINK\superman
LUBLINK\dave

web:~ # cat /etc/group | tail -1
ntadmins:!:1001:regis,superman,dave

dlublink · 03-01-2005, 11:05 AM

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\superman>net user admin /domain
The request will be processed at a domain controller for domain LUBLINK.

User name superman
Full Name root
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 2/24/2005 4:27 PM
Password expires Never
Password changeable 2/24/2005 4:27 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script scripts\logon.bat
User profile \\pdc\Profiles\superman
Home directory \\pdc\superman
Last logon Never

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Admins
The command completed successfully.