Use the “net” command to create Admin users on your windows machines.By default, when running an OS X Server as a Windows Primary Domain Controller you do not have any Windows Domain Admins. While your LDAP admin username and password can be used to add a Windows machine to the PDC, it cannot be used to actually administer the windows machine.
To do that, you’re going to need to tell Samba what OS X group you want to use to be Domain Admins on your windows machines. So create a group in Workgroup Manager. Add the users to it that you need to be admins on the windows machines. For example, let’s say we created a group called “winadmins” and added all of our users to it. You would then use the net command on the OS X Server to map the winadmins group to the Domain Admins in the PDC.
sudo net groupmap modify ntgroup="Domain Admins" unixgroup=winadmins
Now log into one of your Windows machines as a user in the winadmins group and you’ll be an admin on the box.
It is nice. Of course all users but domain admin are simply "Users". I want to
know, is it possible to create "Power Users" in Mac OS X PDC?
Pretty much the same thing.
with theese command – otherwise all your mappings will be flushed on
restart
Yep. I’m filing a bug on that now, and I’ll post a startupitem for this before
too long.
—
Changing the world, one server at a time.
Joel Rennich
http://www.afp548.com
I have 10.3.5 installed and I don’t see it doing this.
What 10.3 has always had in smb.conf is:
admin users = @admin
This makes anyone the "admin" group run as "root"
when talking to Samba, but that’s not the same as
being in the "Domain Admins" group in general.
The "Domain Admins" group is a group whose members
will automatically be granted "Administrator" privileges
when they login to a domain client machine.
This functionality is provided by the "net groupmap" command,
but is not yet adequately supported by Mac OS.
People need to complain to Apple
Back in July a question was posted about making users Power Users. I wanted
to do the same thing so I did some digging. The first steps are simliar to what
MacTroll posted on creating a Domain Admin.
As to not take credit for this, I’ll just paste the link from Samba.org with
detailed instructoins on how to do this.
http://lists.samba.org/archive/samba/2004-January/078138.html
Other sources I used were
net groupmap -help & man net
The main difference from adding a Domain Admin the way MacTroll did and
adding a Power User is that once you’ve created the group and mapped it, you
have to add that group to the local machine (or your ghost image) as a Power
User.
Once you get this far, there are a lot of options that can be done using this as
a starting point.
Tim
While this command worked well with 10.3 Panther Server, it don’t work with
10.4 Tiger Server.
2005/08/16 18:29:03, 0] pdb_ods.c:odssam_getgrnam(2906)
odssam_getgrnam: [0]get_sam_record_attributes dsRecTypeStandard:Groups
no account for ‘Domain Admins’!
NT Group Domain Admins doesn’t exist in mapping DB
Do you know why?
I am interested to know if you have had any sort of response from
Apple yet. I am in a similar situation whereby on a panther server I
used the net groupmap command successfully but this wont work on
the tiger server (clean install). This renders me unable to use Winlock
until this has been resolved.
btw the date is 24.1.06