samba - Feb 2006 - groupmapping doubts

Hello Samba people !

Thanks to the great docs available, I was able to setup samba as a PDC in
a few hours. Everything works as I wish, except one thing. As security is
not really a matter in my case, I would like every domain user to be able
to install programs on every domain machine. As I understood, this can be
achieved by adding every domain user in the "Domain Admins" group. Am
I
right ? Is there a better way to do this ?

Anyway, after reading groupmapping.html from the howto-collection, I did
this:

net groupmap add ntgroup="Domain Admins" unixgroup=smbadm

eos:~# grep smbadm /etc/group
smbadm:x:1003:toto,root

eos:~# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3749086184-651259868-1278831297-3007) -> smbadm
Domain Admins (S-1-5-21-3749086184-651259868-1278831297-512) -> -1
Domain Guests (S-1-5-21-3749086184-651259868-1278831297-514) -> -1
Domain Users (S-1-5-21-3749086184-651259868-1278831297-513) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

But it doesn't seem to work. I notice I now have 2 "Domain Admins"
groups.
Maybe that is wrong ? I am not using winbind, as I understood it shouldn't
be mandatory in my case.

By the way, not being very "fluent" in windows, how can I check if the
domain-user "toto" is member of one or another domain-group under
winxp ?

Any help or advice greatly appreciated !
Marc

PS: here are the relevant parts on my smb.conf file:

eos:~# smbd  -V
Version 3.0.14a-Debian

[global]
        workgroup = EDI
        interfaces = 172.17.200.3, 127.0.0.1
        bind interfaces only = Yes
        obey pam restrictions = Yes
        passdb backend = tdbsam, guest
        name resolve order = wins host lmhosts bcast
        time server = Yes
        logon script = logon.bat
        logon path = 
        logon home = 
        domain logons = Yes
        os level = 70
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap ssl = no

On 2/15/2006 Marc Fournier (fournie@gmx.net) wrote:
> I would like every domain user to be able to install programs on
> every domain machine. As I understood, this can be achieved by adding
> every domain user in the "Domain Admins" group. Am I right ? Is
there
> a better way to do this?
Ack! Well, it's your network, but I really strongly urge you NOT to make 
them all DOMAIN Admins.

At worst, add the Domain USERS group to the LOCAL Administrators group. 
This will make all domain USERS a member of the LOCAL Administrators 
group on each computer, without making them all domain ADMINS.

-- 

Best regards,

Charles