Thanks for that. It's nice to have this explained well. I have a couple of books on w2k but mostly it talks AD and is not applicable. I have it working now. On to group policies which from what I can tell must remain as NT style to have any form of centralized network policies. I don't have any Active Directory at all here, strictly Samba servers.
On Thu, 2003-07-24 at 15:28, Felipe Alfaro Solana wrote: > On Thu, 2003-07-24 at 22:06, George Farris wrote: > > > Well interestingly enough it only works if I make pwruser (which is > > mapped to "Domain Users") be the primary group of the user. This is > > confusing because with the user I have set up for a Domain Admin > > (unixgroup dadmin) dadmin is not it's primary group. > > > > Any thoughts? > > I can't follow you. Let's go part by part: > > 1. The concept of primary group is similar to Unix. There is nothing > particular with a primary group, except that it's mandatory. A user > *must* belong to at least one group. And, a user can belong to more than > one group. Thus, I don't understand you when you say "dadmin is not it's > primary group." > > 2. "Domain Users" is a global group belonging to a particular domain and > thus, any computer belonging to that domain, can reference it. There can > only exist one instance of the "Domain Administrators" global group for > every domain. Normally, you add all users from that domain to this > group, so you can reference all of them at once, for example, to allow > or deny access to a particular resource, machine, program, etc. > > 3. "Power Users" is a local group, not a global one. That is, it does > not belong to any domain, but belongs to a machine. It's said that the > "Power Users" group is not stored in a domain controller, but on the SAM > of a Windows machine (for example, a Windows XP computer). By saying > that it's a local group, I mean there exists one instance of this group > on every Windows computer, but no instances of it on any domain > controller. So, you should never ever create "Power Users" as a global > group on your Windows/Samba domain controller. > > EXAMPLE: > > Let's say you have 3 user accounts on the domain "DOM": > > "DOM\A", "DOM\B" and "DOM\C". > > If we want to make those users members of the "Power Users" group on the > Windows machine called MACHINE1, we usually do the following: > > 1. Add "DOM\A", "DOM\B" and "DOM\C" to the "Domain Users" global group > of the "DOM" domain (that is, we add them to "DOM\Domain Users"). > 2. Next, we log on to the MACHINE1 as an Administrator and then we add > the global group "DOM\Domain Users" to the local "Power Users" group. > 3. The net effect is that since "DOM\A" is member of "DOM\Domain Users", > and "DOM\Domain Users" is also a member of the group "Power Users", > transitively, "DOM\A" becomes a member of the MACHINE1's "Power Users" > local group. Since by default on any Windows machine, every member of > the "Power Users" group has additional privileges over standard users > (like changing the system clock and shutting down the computer), the > user "DOM\A" will have those additional privileges. > > We could have added "DOM\A", "DOM\B" and "DOM\C" directly to MACHINE1's > "Power Users", but what would happen if sometime in the future, a fourth > user "DOM\D" needs those elevated privileges. It's simpler to add > "DOM\D" to the "DOM\Domain Users" and then, by the transitive effect > described above, "DOM\D" will automatically be considered a member of > the local "Power Users" group for MACHINE1. > > Since "Power Users" is local to all machines, you'll have to repeat this > operation on every Windows machine in which you want this mapping. > > I hope this is clearer now. -- George Farris [EMAIL PROTECTED] Computer Support Cowichan. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
