Tips July 29, 2004 at 12:55 pm

Creating Domain Admins on an OS X Server PDC

Use the “net” command to create Admin users on your windows machines.By default, when running an OS X Server as a Windows Primary Domain Controller you do not have any Windows Domain Admins. While your LDAP admin username and password can be used to add a Windows machine to the PDC, it cannot be used to actually administer the windows machine.

To do that, you’re going to need to tell Samba what OS X group you want to use to be Domain Admins on your windows machines. So create a group in Workgroup Manager. Add the users to it that you need to be admins on the windows machines. For example, let’s say we created a group called “winadmins” and added all of our users to it. You would then use the net command on the OS X Server to map the winadmins group to the Domain Admins in the PDC.

sudo net groupmap modify ntgroup="Domain Admins" unixgroup=winadmins

Now log into one of your Windows machines as a user in the winadmins group and you’ll be an admin on the box.

No Comments

  • It is nice. Of course all users but domain admin are simply "Users". I want to
    know, is it possible to create "Power Users" in Mac OS X PDC?

    • Pretty much the same thing.

      net groupmap modify ntgroup="Power Users"    unixgroup=osxpowergroup

      Changing the world, one server at a time.

      Joel Rennich

  • with theese command – otherwise all your mappings will be flushed on

  • I have 10.3.5 installed and I don’t see it doing this.

    What 10.3 has always had in smb.conf is:
    admin users = @admin

    This makes anyone the "admin" group run as "root"
    when talking to Samba, but that’s not the same as
    being in the "Domain Admins" group in general.

    The "Domain Admins" group is a group whose members
    will automatically be granted "Administrator" privileges
    when they login to a domain client machine.

    This functionality is provided by the "net groupmap" command,
    but is not yet adequately supported by Mac OS.

    People need to complain to Apple

  • Back in July a question was posted about making users Power Users. I wanted
    to do the same thing so I did some digging. The first steps are simliar to what
    MacTroll posted on creating a Domain Admin.
    As to not take credit for this, I’ll just paste the link from with
    detailed instructoins on how to do this.

    Other sources I used were
    net groupmap -help & man net

    The main difference from adding a Domain Admin the way MacTroll did and
    adding a Power User is that once you’ve created the group and mapped it, you
    have to add that group to the local machine (or your ghost image) as a Power
    Once you get this far, there are a lot of options that can be done using this as
    a starting point.


  • While this command worked well with 10.3 Panther Server, it don’t work with
    10.4 Tiger Server.

    2005/08/16 18:29:03, 0] pdb_ods.c:odssam_getgrnam(2906)
    odssam_getgrnam: [0]get_sam_record_attributes dsRecTypeStandard:Groups
    no account for ‘Domain Admins’!
    NT Group Domain Admins doesn’t exist in mapping DB

    Do you know why?

    • I am interested to know if you have had any sort of response from
      Apple yet. I am in a similar situation whereby on a panther server I
      used the net groupmap command successfully but this wont work on
      the tiger server (clean install). This renders me unable to use Winlock
      until this has been resolved.
      btw the date is 24.1.06

Leave a reply

You must be logged in to post a comment.