Is it possible to have 2000 windows machines reconize Domain Users under the local Power Users group? Right now I'm using samba 3beta3. Do I need kerberos support compiled in? Thanks for your help Jason
I have also struggled with this problem. It seems one can map a domain group such as Domain Admins and have it take effect on the workstation but Power Users is, I think, a local group and it doesn't work even though one can map a unix group to it. So how can one add users to a Power User group and have it take effect like Domain Admins? On Thu, 2003-07-24 at 06:47, Jason C. Waters wrote:> Is it possible to have 2000 windows machines reconize Domain Users under > the local Power Users group? Right now I'm using samba 3beta3. Do I > need kerberos support compiled in? Thanks for your help > > Jason-- George Farris farrisg@mala.bc.ca Computer Support Cowichan.
$%#@&^% I forgot to delete the profile. It works. Now I should be able to make a new "Domain Power Users" group with "net groupmap add". How does one find a new sid or can I just increment the last number used like so: [root@owl profiles]# net groupmap list System Operators (S-1-5-32-549) -> -1 Domain Guests (S-1-5-21-1135672234-1853056381-2991119365-514) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Domain Users (S-1-5-21-1135672234-1853056381-2991119365-513) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> users Domain Admins (S-1-5-21-1135672234-1853056381-2991119365-512) -> dadmin Since S-1-5-21-1135672234-1853056381-2991119365-514 is the last number displayed I could use: S-1-5-21-1135672234-1853056381-2991119365-515 Also how does one remove a mapping from a local unixgroup? It seems once mapped, I can only ever assign it to a new group or delete the ntgroup and start again. On Thu, 2003-07-24 at 13:18, Jason C. Waters wrote:> Did you try it after deleting the profile? > > George Farris wrote: > > >Well interestingly enough it only works if I make pwruser (which is > >mapped to "Domain Users") be the primary group of the user. This is > >confusing because with the user I have set up for a Domain Admin > >(unixgroup dadmin) dadmin is not it's primary group. > > > >Any thoughts? > > > >On Thu, 2003-07-24 at 12:22, Felipe Alfaro Solana wrote: > > > > > >>On Thu, 2003-07-24 at 18:31, George Farris wrote: > >> > >> > >>>I have also struggled with this problem. It seems one can map a domain > >>>group such as Domain Admins and have it take effect on the workstation > >>>but Power Users is, I think, a local group and it doesn't work even > >>>though one can map a unix group to it. > >>> > >>>So how can one add users to a Power User group and have it take effect > >>>like Domain Admins? > >>> > >>> > >>On Windows, the "Power Users" is a local group, that is, it's members > >>are not stored on a domain controller, but on the local SAM of the > >>machine. Thus, if for an specific machine you want to make all Domain > >>Users to be Power Users, you'll need to use Windows administration tools > >>and *manually* add the "Domain Users" global group to the "Power Users" > >>local group of the machine. > >> > >>-- George Farris farrisg@mala.bc.ca Computer Support Cowichan.
Yes thanks, sorry to upset you:-) I think we understand that now. Must be frustrating to what a newbie eh:-) Kind of funny. So how do I unmap it from a unix group? Do I have to delete the "Power Users" group and re-create it? On Thu, 2003-07-24 at 15:32, Felipe Alfaro Solana wrote:> On Thu, 2003-07-24 at 23:06, Jason C. Waters wrote: > > > net groupmap modify ntgroup="Power Users" unixgroup="pwrusers" > > > > something like that! > > Oh, my god! Please, stop this now! "Power Users" is a local group, not a > global group! You should never, ever create "Power Users" as a global > group, nor map it to a Unix group. > > I recommend you reading this: > > http://www.microsoft.com/windows2000/en/server/help/lsm_local_groups.htm > > to clarify on the difference between built-in local groups and built-in > domain (or global) groups.-- George Farris farrisg@mala.bc.ca Computer Support Cowichan.
On Thu, 24 Jul 2003, George Farris wrote:> Yes thanks, sorry to upset you:-) I think we understand that now. Must > be frustrating to what a newbie eh:-) Kind of funny. > > So how do I unmap it from a unix group? Do I have to delete the "Power > Users" group and re-create it?net groupmap modify ntgroup=Group-Name unixgroup=nobody - John T.> > On Thu, 2003-07-24 at 15:32, Felipe Alfaro Solana wrote: > > On Thu, 2003-07-24 at 23:06, Jason C. Waters wrote: > > > > > net groupmap modify ntgroup="Power Users" unixgroup="pwrusers" > > > > > > something like that! > > > > Oh, my god! Please, stop this now! "Power Users" is a local group, not a > > global group! You should never, ever create "Power Users" as a global > > group, nor map it to a Unix group. > > > > I recommend you reading this: > > > > http://www.microsoft.com/windows2000/en/server/help/lsm_local_groups.htm > > > > to clarify on the difference between built-in local groups and built-in > > domain (or global) groups. >-- John H Terpstra Email: jht@samba.org
to unmap it just do groupmap delete sid=sidofPowerUsers George Farris wrote:>Yes thanks, sorry to upset you:-) I think we understand that now. Must >be frustrating to what a newbie eh:-) Kind of funny. > >So how do I unmap it from a unix group? Do I have to delete the "Power >Users" group and re-create it? > >On Thu, 2003-07-24 at 15:32, Felipe Alfaro Solana wrote: > > >>On Thu, 2003-07-24 at 23:06, Jason C. Waters wrote: >> >> >> >>>net groupmap modify ntgroup="Power Users" unixgroup="pwrusers" >>> >>>something like that! >>> >>> >>Oh, my god! Please, stop this now! "Power Users" is a local group, not a >>global group! You should never, ever create "Power Users" as a global >>group, nor map it to a Unix group. >> >>I recommend you reading this: >> >>http://www.microsoft.com/windows2000/en/server/help/lsm_local_groups.htm >> >>to clarify on the difference between built-in local groups and built-in >>domain (or global) groups. >> >>