[Samba] Local Administrator access

Discussion:

Knut Olav Bøhmer

12 years ago

Hi,

I have a windows 7 machine withouth local administrator account.
I need to create such an account. I can log in to the machine with a user
on my samba domain.

What do I need to do in order to get administrator access, or access to
create an local administrator account?

I have tried to do this:

[root at float samba]# net rpc group addmem "Administrators" 'DOMAIN\username'
Enter root's password:
Could not add SKOLELINUX\knobo to Administrators: NT_STATUS_NO_SUCH_ALIAS

I have tried to give some rights this way:

net rpc rights grant 'DOMAIN\username' SeMachineAccountPrivilege
SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege
SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege
SePrintOperatorPrivilege SeCreateGlobalPrivilege
SeEnableDelegationPrivilege SeUndockPrivilege SeTakeOwnershipPrivilege

And it does what I tell it:
[root at float samba]# net rpc rights list knobo
Enter root's password:
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemProfilePrivilege
SeUndockPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

But I'm still promptet for username and password, when I try to access the
user accounts in windows 7.

Any suggestions?

Regards

--
Knut Olav B?hmer

Gaiseric Vandal

12 years ago

Permalink

With Windows7, the 1st account you create during the initial setup is
typically a member of the local admin group. The actual "Administrator"
account is normally disabled. Did this 1st account get deleted?

When you joined the domain, the Domain Admin's groups should have been
added to the local Admin group.

This can get messed up if your group mappings are not set up correctly.

Also, I think when running the "net" command you may want to use "-U
Administrator" to use the credentials of your domain Administrator
account (assuming one has been defined.) In my setup the unix root
does not have a samba account.

...

Gaiseric Vandal

12 years ago

Permalink

Have you tried logging into the PC using the samba domain administrator
account?

Assuming the PC was properly joined to the domain then you should be
able to configure the local accounts and groups.

You can create domain group that is then a member of the PC's local
administrator group. This will allow you do defined samba users who are
PC administrators but NOT domain administrators.

Whomever joins a PC to a domain needs to be both a local administrator
on that computer and (in most cases) have domain administrator
credentials. (If the machine account was created in advance then the
domain administrator credentials should not be needed.)

Are you sure the PC was joined to the domain?

...

Knut Olav Bøhmer

12 years ago

Permalink

Hi,

I'm sorry about last mail. It was incompleate.
It was not me who installed the machine. And from what I can see, there was
not created any local users.

So when I installed a new samba domain controller I was not able to log in
to that computer.

So I took the old SID and put in in to a new (temporary, on my laptop)
samba server, and copied the old machine account password.
Then I was able to log inn. But the user I created on the samba server does
not have local administration rights on the windows client.

And now, when composing this email, gathering information about my setup
(and a good nights sleep), I discover that the user I used to access the
computer was set to another domain. I found this out by pdbedit -Lv knobo

Thank you for the help :) Without you I would not have figured out ;)
(maybe)

Best regards
Knut Olav B?hmer

2012/11/26 Gaiseric Vandal <gaiseric.vandal at gmail.com>

Post by Gaiseric Vandal
Have you tried logging into the PC using the samba domain administrator
account?
Assuming the PC was properly joined to the domain then you should be able
to configure the local accounts and groups.
You can create domain group that is then a member of the PC's local
administrator group. This will allow you do defined samba users who are PC
administrators but NOT domain administrators.
Whomever joins a PC to a domain needs to be both a local administrator on
that computer and (in most cases) have domain administrator credentials.
(If the machine account was created in advance then the domain
administrator credentials should not be needed.)
Are you sure the PC was joined to the domain?

gaiseric.vandal at gmail.**com <gaiseric.vandal at gmail.com>>>
With Windows7, the 1st account you create during the initial
setup is typically a member of the local admin group. The actual
"Administrator" account is normally disabled. Did this 1st
account get deleted?
I did not install the computer. How can I find out if there is such a
user? But, I don't have the password anyway.
When you joined the domain, the Domain Admin's groups should have
been added to the local Admin group.
Ok, so the trick is to get my user a member of the "Domain Admins" group.
This can get messed up if your group mappings are not set up correctly.
Also, I think when running the "net" command you may want to use
"-U Administrator" to use the credentials of your domain
Administrator account (assuming one has been defined.) In my
setup the unix root does not have a samba account.
Hi,
I have a windows 7 machine withouth local administrator account.
I need to create such an account. I can log in to the machine with a user
on my samba domain.
What do I need to do in order to get administrator access, or access to
create an local administrator account?
[root at float samba]# net rpc group addmem "Administrators"
'DOMAIN\username'
NT_STATUS_NO_SUCH_ALIAS
net rpc rights grant 'DOMAIN\username' SeMachineAccountPrivilege
SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege
SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege
SePrintOperatorPrivilege SeCreateGlobalPrivilege
SeEnableDelegationPrivilege SeUndockPrivilege
SeTakeOwnershipPrivilege
[root at float samba]# net rpc rights list knobo
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemProfilePrivilege
SeUndockPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
But I'm still promptet for username and password, when I try
to access the
user accounts in windows 7.
Any suggestions?
Regards
-- To unsubscribe from this list go to the following URL and read
the
instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
--
Knut Olav B?hmer
41 000 108

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>

...

--
Knut Olav B?hmer
41 000 108

Continue reading on narkive:

Search results for '[Samba] Local Administrator access' (Questions and Answers)

replies

How do I give a user local admin rights on his computer only?

started 15 years ago

security

replies

How do I get administrator access on my laptop?

started 17 years ago

computers & internet