Discussion:
[Samba] Domain admins not getting local admin rights
Morgan Toal
2005-01-28 03:52:01 UTC
Permalink
Hi there,

I switched servers yesterday.
The old server was running 2.2.7a-1 on RedHat 8.0.
The new server is 3.0.8-0.pre1.3 on Fedora Core 3.

I did the migration by copying the following:
/etc/passwd
/etc/group
/etc/shadow
/etc/samba/*

I then copied /home and fixed all the permissions on stuff.

I then started up samba on the new server, and unplugged the old one.

Most everything went smoothly, everyone could log in, we did not have to
re-join client comptuters to the domain.

However, I am not understanding why my domain administrator accounts are
now not getting local administrator priveleges when logged in. This
always worked fine on Samba 2.2.7a-1!

I now cannot, when logged in on a W2K workstation as a domain user
called "nsu", which is a member of "domain admins", modify files in
C:\WINNT, or modify the local registry, etc.

On a W2K orkstation, In the Local Users and Groups applet I can see that
the local "Administrators" does in fact contain "PD/Domain Admins" and
it gines a partial listing of the group's SID.

I cannot confirm if this is the same SID as my SID in samba for "Domain
Admins". It should be the same, right? Can anyone suggest a tool I could
use to confirm this?

I *really* don't want to have to add a domain group of people who should
be local administrator to the local administrators group on each
workstation, as we have quite a number of workstations, so I have not
tried this yet...

Can someone else suggest something for me to check or try? Thanks!

mtoal

-----------------------------------------------------------------------------------------

[***@pd1 ~]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> domainadmin
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> domainadmin
Administrators (S-1-5-32-544) -> domainadmin
cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
Account Operators (S-1-5-32-548) -> -1
seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

-----------------------------------------------------------------------------------------

[***@pd1 ~]# cat /etc/samba/smb.conf

log level = 4

netbios name = pd1
workgroup = pd

os level = 200
preferred master = no
domain master = yes
local master = no

wins support = no
wins server = 192.168.18.14
name resolve order = wins lmhosts
enhanced browsing = no

security = user
encrypt passwords = yes

domain logons = yes
logon path =
logon drive = Z:
logon home = \\%L\%u
logon script = logon.bat

add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

use client driver = yes

host msdfs = yes

guest account = guest
map to guest = bad user

username map = /etc/samba/smbusers
admin users = @domainadmin
news.gmane.org
2005-01-28 04:56:11 UTC
Permalink
You need to map the ntgroup "Domain Admins" to a valid unixgroup. This is
new in Samba 3. I'm assuming in Samba 2.x, you had a line 'domain admins =
somevalidunixgroup' in your smb.conf file. That is the group you want to
map "Domain Admins" to. This is done with the 'net groupmap' command. To
see all of your groupmaps, type 'net groupmap list'. You'll probably see
'Domain Admins -> blank'. Now type:
net groupmap modify ntgroup="Domain Admins" unixgroup=somevalidunixgroup
(the quotes are needed because of the space in Domain Admins). net groupmap
list should now report Domain Admins -> somevalidunixgroup. Also, remove
the 'domain admins = ' line from your smb.conf.
Might have to restart smb, can't remember. Definitely have to log off/log
back on to workstation and you should now be a local admin on the
workstation.
Post by Morgan Toal
Hi there,
I switched servers yesterday.
The old server was running 2.2.7a-1 on RedHat 8.0.
The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
/etc/passwd
/etc/group
/etc/shadow
/etc/samba/*
I then copied /home and fixed all the permissions on stuff.
I then started up samba on the new server, and unplugged the old one.
Most everything went smoothly, everyone could log in, we did not have to
re-join client comptuters to the domain.
However, I am not understanding why my domain administrator accounts are
now not getting local administrator priveleges when logged in. This always
worked fine on Samba 2.2.7a-1!
I now cannot, when logged in on a W2K workstation as a domain user called
"nsu", which is a member of "domain admins", modify files in C:\WINNT, or
modify the local registry, etc.
On a W2K orkstation, In the Local Users and Groups applet I can see that
the local "Administrators" does in fact contain "PD/Domain Admins" and it
gines a partial listing of the group's SID.
I cannot confirm if this is the same SID as my SID in samba for "Domain
Admins". It should be the same, right? Can anyone suggest a tool I could
use to confirm this?
I *really* don't want to have to add a domain group of people who should
be local administrator to the local administrators group on each
workstation, as we have quite a number of workstations, so I have not
tried this yet...
Can someone else suggest something for me to check or try? Thanks!
mtoal
-----------------------------------------------------------------------------------------
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> domainadmin
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> domainadmin
Administrators (S-1-5-32-544) -> domainadmin
cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
Account Operators (S-1-5-32-548) -> -1
seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
-----------------------------------------------------------------------------------------
log level = 4
netbios name = pd1
workgroup = pd
os level = 200
preferred master = no
domain master = yes
local master = no
wins support = no
wins server = 192.168.18.14
name resolve order = wins lmhosts
enhanced browsing = no
security = user
encrypt passwords = yes
domain logons = yes
logon path =
logon home = \\%L\%u
logon script = logon.bat
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
use client driver = yes
host msdfs = yes
guest account = guest
map to guest = bad user
username map = /etc/samba/smbusers
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Dana Forte
2005-01-28 05:02:04 UTC
Permalink
Looks like there are 2 "Domain Admin" ntgroups, each with a different SID.
Delete the one that doesn't match the domain portion of the output of 'net
getlocalsid', then make sure the one that is left is mapped to the correct
unixgroup.
Post by Morgan Toal
Hi there,
I switched servers yesterday.
The old server was running 2.2.7a-1 on RedHat 8.0.
The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
/etc/passwd
/etc/group
/etc/shadow
/etc/samba/*
I then copied /home and fixed all the permissions on stuff.
I then started up samba on the new server, and unplugged the old one.
Most everything went smoothly, everyone could log in, we did not have to
re-join client comptuters to the domain.
However, I am not understanding why my domain administrator accounts are
now not getting local administrator priveleges when logged in. This always
worked fine on Samba 2.2.7a-1!
I now cannot, when logged in on a W2K workstation as a domain user called
"nsu", which is a member of "domain admins", modify files in C:\WINNT, or
modify the local registry, etc.
On a W2K orkstation, In the Local Users and Groups applet I can see that
the local "Administrators" does in fact contain "PD/Domain Admins" and it
gines a partial listing of the group's SID.
I cannot confirm if this is the same SID as my SID in samba for "Domain
Admins". It should be the same, right? Can anyone suggest a tool I could
use to confirm this?
I *really* don't want to have to add a domain group of people who should
be local administrator to the local administrators group on each
workstation, as we have quite a number of workstations, so I have not
tried this yet...
Can someone else suggest something for me to check or try? Thanks!
mtoal
-----------------------------------------------------------------------------------------
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> domainadmin
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> domainadmin
Administrators (S-1-5-32-544) -> domainadmin
cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
Account Operators (S-1-5-32-548) -> -1
seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
-----------------------------------------------------------------------------------------
log level = 4
netbios name = pd1
workgroup = pd
os level = 200
preferred master = no
domain master = yes
local master = no
wins support = no
wins server = 192.168.18.14
name resolve order = wins lmhosts
enhanced browsing = no
security = user
encrypt passwords = yes
domain logons = yes
logon path =
logon home = \\%L\%u
logon script = logon.bat
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
use client driver = yes
host msdfs = yes
guest account = guest
map to guest = bad user
username map = /etc/samba/smbusers
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
John H Terpstra
2005-01-28 05:26:42 UTC
Permalink
Post by Dana Forte
Looks like there are 2 "Domain Admin" ntgroups, each with a different SID.
Delete the one that doesn't match the domain portion of the output of 'net
getlocalsid', then make sure the one that is left is mapped to the correct
unixgroup.
Alternately, stop samba then delete the group_mapping.tdb file, restart sam=
ba=20
and then remap your groups. Example:

net groupmap modify ntgroup=3D"Domain Admins" unixgroup=3Dflyingpigs

Cheers,
John T.
Post by Dana Forte
Post by Morgan Toal
Hi there,
I switched servers yesterday.
The old server was running 2.2.7a-1 on RedHat 8.0.
The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
/etc/passwd
/etc/group
/etc/shadow
/etc/samba/*
I then copied /home and fixed all the permissions on stuff.
I then started up samba on the new server, and unplugged the old one.
Most everything went smoothly, everyone could log in, we did not have to
re-join client comptuters to the domain.
However, I am not understanding why my domain administrator accounts are
now not getting local administrator priveleges when logged in. This
always worked fine on Samba 2.2.7a-1!
I now cannot, when logged in on a W2K workstation as a domain user call=
ed
Post by Dana Forte
Post by Morgan Toal
"nsu", which is a member of "domain admins", modify files in C:\WINNT, =
or
Post by Dana Forte
Post by Morgan Toal
modify the local registry, etc.
On a W2K orkstation, In the Local Users and Groupsd8=89 applet I can see
that the local "Administrators" does in fact contain "PD/Domain Admins"
and it gines a partial listing of the group's SID.
I cannot confirm if this is the same SID as my SID in samba for "Domain
Admins". It should be the same, right? Can anyone suggest a tool I could
use to confirm this?
I *really* don't want to have to add a domain group of people who should
be local administrator to the local administrators group on each
workstation, as we have quite a number of workstations, so I have not
tried this yet...
Can someone else suggest something for me to check or try? Thanks!
mtoal
-----------------------------------------------------------------------=
=2D-
Post by Dana Forte
Post by Morgan Toal
----------------
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> domainadmin
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> domainadmin
Administrators (S-1-5-32-544) -> domainadmin
cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
Account Operators (S-1-5-32-548) -> -1
seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
-----------------------------------------------------------------------=
=2D-
Post by Dana Forte
Post by Morgan Toal
----------------
log level =3D 4
netbios name =3D pd1
workgroup =3D pd
os level =3D 200
preferred master =3D no
domain master =3D yes
local master =3D no
wins support =3D no
wins server =3D 192.168.18.14
name resolve order =3D wins lmhosts
enhanced browsing =3D no
security =3D user
encrypt passwords =3D yes
domain logons =3D yes
logon path =3D
logon home =3D \\%L\%u
logon script =3D logon.bat
add user script =3D /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false=
-M
Post by Dana Forte
Post by Morgan Toal
%u
use client driver =3D yes
host msdfs =3D yes
guest account =3D guest
map to guest =3D bad user
username map =3D /etc/samba/smbusers
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
=2D-=20
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
Morgan Toal
2005-01-28 21:33:45 UTC
Permalink
Hi there,

Thanks to everyone for their suggestions.

Unfortunately, I must be missing something, I did delete the
group_mappings.tdb and re-create my groups. This has not improved the
situation unfortunately.

Where else might I look?

An aside question: how can I be sure, from the perspective of the
Windows workstation, what exactly Windows sees my group
memberships/priveleges? I don't know of a way to determine this, some
little utility or applet?

Thanks,

mtoal
Post by Dana Forte
Looks like there are 2 "Domain Admin" ntgroups, each with a different SID.
Delete the one that doesn't match the domain portion of the output of 'net
getlocalsid', then make sure the one that is left is mapped to the correct
unixgroup.
Alternately, stop samba then delete the group_mapping.tdb file, restart samba
net groupmap modify ntgroup="Domain Admins" unixgroup=flyingpigs
Cheers,
John T.
Post by Dana Forte
Post by Morgan Toal
Hi there,
I switched servers yesterday.
The old server was running 2.2.7a-1 on RedHat 8.0.
The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
/etc/passwd
/etc/group
/etc/shadow
/etc/samba/*
I then copied /home and fixed all the permissions on stuff.
I then started up samba on the new server, and unplugged the old one.
Most everything went smoothly, everyone could log in, we did not have to
re-join client comptuters to the domain.
However, I am not understanding why my domain administrator accounts are
now not getting local administrator priveleges when logged in. This
always worked fine on Samba 2.2.7a-1!
I now cannot, when logged in on a W2K workstation as a domain user called
"nsu", which is a member of "domain admins", modify files in C:\WINNT, or
modify the local registry, etc.
On a W2K orkstation, In the Local Users and Groupsd8? applet I can see
that the local "Administrators" does in fact contain "PD/Domain Admins"
and it gines a partial listing of the group's SID.
I cannot confirm if this is the same SID as my SID in samba for "Domain
Admins". It should be the same, right? Can anyone suggest a tool I could
use to confirm this?
I *really* don't want to have to add a domain group of people who should
be local administrator to the local administrators group on each
workstation, as we have quite a number of workstations, so I have not
tried this yet...
Can someone else suggest something for me to check or try? Thanks!
mtoal
-------------------------------------------------------------------------
----------------
System Operators (S-1-5-32-549) -> -1
Domain Users (S-1-5-21-2634632689-992284068-1313363551-513) -> -1
Domain Admins (S-1-5-21-2634632689-992284068-1313363551-512) -> domainadmin
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-2634632689-992284068-1313363551-514) -> -1
Domain Users (S-1-5-21-3505514775-834951346-1128776050-513) -> -1
Domain Admins (S-1-5-21-3505514775-834951346-1128776050-512) -> -1
Domain Guests (S-1-5-21-3505514775-834951346-1128776050-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> domainadmin
Administrators (S-1-5-32-544) -> domainadmin
cid (S-1-5-21-2634632689-992284068-1313363551-2045) -> cid
Account Operators (S-1-5-32-548) -> -1
seint (S-1-5-21-2634632689-992284068-1313363551-2157) -> seint
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
-------------------------------------------------------------------------
----------------
log level = 4
netbios name = pd1
workgroup = pd
os level = 200
preferred master = no
domain master = yes
local master = no
wins support = no
wins server = 192.168.18.14
name resolve order = wins lmhosts
enhanced browsing = no
security = user
encrypt passwords = yes
domain logons = yes
logon path =
logon home = \\%L\%u
logon script = logon.bat
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
use client driver = yes
host msdfs = yes
guest account = guest
map to guest = bad user
username map = /etc/samba/smbusers
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Robert M. Martel
2005-01-28 23:46:23 UTC
Permalink
Post by Morgan Toal
Hi there,
Thanks to everyone for their suggestions.
Unfortunately, I must be missing something, I did delete the
group_mappings.tdb and re-create my groups. This has not improved the
situation unfortunately.
Where else might I look?
...

I saw a problem like this when testing Samba 3 on Solaris 9. I had to
make sure that the "domain admin" group mapped to the unix group that I
wanted *and* that unix group had to be the PRIMARY group for the user in
question.

Under Samba 2 I had several users that were in the unix "ntadmin" group
as one of their secondary groups and my smb.conf was set accordingly.
Everything worked as expected.

Under Samba 3 I mapped the "Domain Admin" group o the same unix group -
but the users never received the administrative privileges. I payed
around for a bit and finally tried mapping "Domain Admin" to my primary
group and then I was able to receive the administrative privileges.

I asked on the list at the time if this was the expected behavior -
which is to say Samba ignored the user's secondary group for this role,
or if I had happened upon a bug. I did not receive an answer at the time.

-Bob Martel
--
***********************************************************************
Bob Martel,System Administrator I met someone who looks a lot like you
Levin College of Urban Affairs She does the things you do
Cleveland State University But she is an IBM
(216) 687-2214
***@urban.csuohio.edu -Jeff Lynne
***********************************************************************
Paul Gienger
2005-01-29 00:24:06 UTC
Permalink
Post by Robert M. Martel
I saw a problem like this when testing Samba 3 on Solaris 9. I had to
make sure that the "domain admin" group mapped to the unix group that
I wanted *and* that unix group had to be the PRIMARY group for the
user in question.
This sounds a lot like the secondary user not recognized bug that
affected solaris boxes running LDAP for their posix data. This has
since been resolved via patch 112960-22 or it's latest rev from Sun. I
can verify that it works correctly now, in my setup running with a
Solaris 9 PDC.
--
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc.
Systems Architect Fax: 701-281-1322
URL: www.ae-solutions.com mailto: ***@ae-solutions.com
Robert M. Martel
2005-01-29 03:43:55 UTC
Permalink
Post by Paul Gienger
Post by Robert M. Martel
I saw a problem like this when testing Samba 3 on Solaris 9. I had to
make sure that the "domain admin" group mapped to the unix group that
I wanted *and* that unix group had to be the PRIMARY group for the
user in question.
This sounds a lot like the secondary user not recognized bug that
affected solaris boxes running LDAP for their posix data. This has
since been resolved via patch 112960-22 or it's latest rev from Sun. I
can verify that it works correctly now, in my setup running with a
Solaris 9 PDC.
I wondered about the bug - but I am not using LDAP - my user information
in kept in NIS+. On the test system where I first saw the problem was
just using flat /etc/passwd, /etc/shadow, and /etc/group.

-Bob Martel
--
***********************************************************************
Bob Martel,System Administrator I met someone who looks a lot like you
Levin College of Urban Affairs She does the things you do
Cleveland State University But she is an IBM
(216) 687-2214
***@urban.csuohio.edu -Jeff Lynne
***********************************************************************
Morgan Toal
2005-01-29 00:28:57 UTC
Permalink
OK here's the deal, thanks especially to John for your time today and
remedial attention :)

My issue, to repeat myself, was that I was logging in as a domain
administrator on a Windows box, and while I was domain administrator
just fine, I was not having local administrator rights on that box. For
example, I could not install software, or change the network connection,
things like that which are a pain in the keester.

Turns out I had several issues going on, pretty much all relating to the
fact that I had simply migrated my samba v2.2 configuration in situ and
expected it to just work, and mostly it just did... mostly...

1. I was still using smbpasswd, and needed to move to tdbsam. Apparently
I could have done net groupmaps all day and these are ignored if
you're not using tdbsam as your authentication mechanism as smbpasswd
cannot tie together the SIDS and such which results in users
disconnected with their appropriate group memberships. (correct me if I
am wrong). So I converted it with:

pdbedit -i smbpasswd -e tdbsam

This process took all of 2 seconds.

2. I needed to modify the [global] section in my smb.conf to conform to
v3 features. For example I did not have the "add machine script"
directive set. I basically copied the one in the "impatient" section of
the howto. I needed to set "passdb backend = tdbsam" since we're using
this now.

3. I probably did not need to, but I stopped samba, blew away my old
/var/cache/samba/group_mapping.tdb and restarted samba.

4. I had to remap my groups, since i nuked group_mapping.tdb:

net groupmap modify ntgroup="Domain Admins" unixgroup=domainadmin

5. I logged out on my windows box as the domain admin user, and logged
back in as that same user. Lo and behold, I am local administrator
again. Whoo-hoo!!! :)

thanks again!

mtoal
Post by Morgan Toal
Hi there,
I switched servers yesterday.
The old server was running 2.2.7a-1 on RedHat 8.0.
The new server is 3.0.8-0.pre1.3 on Fedora Core 3.
/etc/passwd
/etc/group
/etc/shadow
/etc/samba/*
I then copied /home and fixed all the permissions on stuff.
I then started up samba on the new server, and unplugged the old one.
Most everything went smoothly, everyone could log in, we did not have to
re-join client comptuters to the domain.
However, I am not understanding why my domain administrator accounts are
now not getting local administrator priveleges when logged in. This
always worked fine on Samba 2.2.7a-1!
I now cannot, when logged in on a W2K workstation as a domain user
called "nsu", which is a member of "domain admins", modify files in
C:\WINNT, or modify the local registry, etc.
On a W2K orkstation, In the Local Users and Groups applet I can see that
the local "Administrators" does in fact contain "PD/Domain Admins" and
it gines a partial listing of the group's SID.
I cannot confirm if this is the same SID as my SID in samba for "Domain
Admins". It should be the same, right? Can anyone suggest a tool I could
use to confirm this?
I *really* don't want to have to add a domain group of people who should
be local administrator to the local administrators group on each
workstation, as we have quite a number of workstations, so I have not
tried this yet...
Can someone else suggest something for me to check or try? Thanks!
mtoal
Continue reading on narkive:
Loading...