Users in Domain Admin group (512) don't have admin rights on windows machine

nandon · 01-15-2013, 06:42 AM

Hi everyone,

My Problem is the following:
Users in the Domain Admins group (512) seem not to authenticate at local windows machines with admin rights.

Distribution: CentOS
Kernel: 2.6.18-308.20.1.el5
Systeme: OpenLDAP slapd 2.3.43, Samba version 3.5.10-0.110.el5_8

# net groupmap list
Domain Admins (S-1-5-21-3285246029-973205485-3622274768-512) -> samba_domain_admins
Domain Users (S-1-5-21-3285246029-973205485-3622274768-513) -> samba_domain_users
Domain Guests (S-1-5-21-3285246029-973205485-3622274768-514) -> samba_domain_guests
Domain Computers (S-1-5-21-3285246029-973205485-3622274768-515) -> samba_domain_computers
Administrators (S-1-5-21-3285246029-973205485-3622274768-544) -> samba_administrator
Account Operators (S-1-5-21-3285246029-973205485-3622274768-548) -> samba_account_operators
Print Operators (S-1-5-21-3285246029-973205485-3622274768-550) -> samba_print_operators
Backup Operators (S-1-5-21-3285246029-973205485-3622274768-551) -> samba_backup_operators
Replicators (S-1-5-21-3285246029-973205485-3622274768-552) -> samba_replicators

Additionally here are some screenshots from our Apache Directory Browser with the user accounts backup and root and the group Domain Admins.
backup
root
samba_domain_admins

If you need further confuration, please ask me.
I would be really happy if we could solve this issue.

nandon · 01-17-2013, 09:31 AM

has anybody an idea how this issue could be solved?

nandon · 01-21-2013, 07:24 AM

It seems that this is an synchronization issue.
When I add some ldap-user to the Domain Admins group, a few days later I can login with this user and he is domain admin at a local machine.
But when I remove the user again from Domain Admins then the user still stays domain admin.

Something is still wrong with the system.
Please, if anybody has an idea how this synchronization works please tell me.