Its been a long time, but I think NTPoledit would let you create a .pol file you could put on the netlogon share and have the groups linked. Example, make a domain group called privileged and then create a policy that adds the privileged group to the local admins group... It'd be worth a shot.
Ricky On Thu, Sep 5, 2013 at 2:21 AM, Götz Reinicke - IT Koordinator < [email protected]> wrote: > Am 04.09.13 17:00, schrieb Gregory Sloop: > > > > > > GRIK> Am 02.09.13 18:20, schrieb Marc Muehlfeld: > >>> Hello Götz, > >>> > >>> Am 02.09.2013 14:43, schrieb Götz Reinicke - IT Koordinator: > >>>> it's some time that I had to touch our samba installation and may be > >>>> somewon can point me to the right direction. > >>>> > >>>> We run a samba-3.6.9 PDC with ldap backend and windows 7 clients. > >>>> Everything for normal users is working fine (domain logon, roaming > >>>> profiles). > >>>> > >>>> But now we'd like to enable our systemadministartors to login to any > >>>> workstation with there domain user and install software or do other > >>>> administrative things. > >>>> > >>>> I'v read a bit about domian accounts and mappings. But I'm not sure > >>>> where to add or change what. > >>>> > >>>> The admins affected are also in a special posix group. > >>>> > >>>> There are also "Domain Admins" and "Administrators" posix groups and > net > >>>> groupmap entries. > >>>> > >>>> Would be great if some one can help me. > >>> > >>> I'm not sure if this is possible with an NT4-style domain. With (Samba) > >>> AD it is, if you plan to migrate. Then you can use "restricted groups" > >>> for that > >>> ( > http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain > ). > >>> > >>> > >>> I don't know how many clients you have. If it's a manageable size, you > >>> can create a group in your domain, go to each workstation and add this > >>> domain group to the local administrators group once. Then everyone who > >>> is member of that domain group is automatically local admin on each of > >>> that machines (this is what you do with the "restricted group" in AD in > >>> 2 mins, without leaving your desk). You only have to add this domain > >>> group on every PC you reinstall. > >>> > >>> But if it's a possibility, migrate to Samba AD. AD brings you many > great > >>> features, expecially GPO, multi master replication, etc. > > > > > > GRIK> Hi Marc, currently we dont plan a change to Samba AD, and editing > every > > GRIK> client to support local grous sounds currently a bit to mutch. (we > have > > GRIK> about 200 windows clients and one admin :) ) > > > > > > GRIK> Is ther not any other chance or way? The admins are very reliabel, > so > > GRIK> they also might have more rights as the "normal" local admin. > > > > GRIK> I was thinking of may be putting tham in the group "Domain Admins" > which > > GRIK> is also used to add workstations to the domain. > > > > GRIK> Or is that something different regarding rights? > > > > GRIK> Thanks for your feedback. /Götz > > > > Yes, making those users members of the "Domain Admins" group will > > "fix" it - but it also has the *usually* undesired side-effect of also > > making those people *DOMAIN ADMINS!*!! > > > > Making a domain group members of the local Admins group on each > > machine also works without the side-effect of giving them domain root > > equivalent accounts. > > > > The first can be done from a single action on the DC - but the second > > generally requires action at each station. [Without and AD controller > > that is.] > > > > So, roll the dice. Do you really trust that these folks you want to > > have local admin privs won't whack the domain intentionally or > > unintentionally? If you feel good enough about that - then perhaps > > it's right for you. > > Hi Greg, > > thanks for pointing that out, I'll get some dices and check with the > head of departement (currently only three people are considered to be > domain admins including me) > > Regards . Götz > > -- > Götz Reinicke > IT-Koordinator > > Tel. +49 7141 969 82 420 > Fax +49 7141 969 55 420 > E-Mail [email protected] > > Filmakademie Baden-Württemberg GmbH > Akademiehof 10 > 71638 Ludwigsburg > www.filmakademie.de > > Eintragung Amtsgericht Stuttgart HRB 205016 > > Vorsitzender des Aufsichtsrats: Jürgen Walter MdL > Staatssekretär im Ministerium für Wissenschaft, > Forschung und Kunst Baden-Württemberg > > Geschäftsführer: Prof. Thomas Schadt > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
