samba - Aug 2004 - Problem with Domain Administrator rights in samba 3.0.2

ALL

I have set-up Samba to run as a PDC its been running great now for over 6
months with no probs.  I am looking to add to this by setting up a Domain
Administrator so I can run audits, remote patch updates, reg hacks  etc.  I
have followed the instructions but have I have no domain rights with 'Domain
Admins' but i do have domain rights with 'Admin Users'.

Heres my set-up.

Any help would be great.

I setup a administrators group called ntadm,

ntadmin:*:250:pmg,administrator,root

And I have mapped the goup to samba...

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Admin Users (S-1-5-21-3967392933-3615524997-2202084585-1501) -> ntadmin
Domain Guests (S-1-5-21-3967392933-3615524997-2202084585-514) -> -1
Domain Admins (S-1-5-21-3967392933-3615524997-2202084585-512) -> ntadmin
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> ntadmin
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3967392933-3615524997-2202084585-513) -> anvil
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

When I log into the domain as user 'pmg' or 'administrator', the
samba log
shows...

administrator logged in as admin user (root privileges)
			or
pmg logged in as admin user (root privileges)

But I dont have domain rights,  when accessing the user panel I get...

"You must be a member of the Administrators group on this computer to open
user accounts"

If I add `Admin Users' to local administrator group on any client PC I have
Domain Administrator rights.

[global]

		netbios name = MOTHER
		workgroup    = ANVIL
		passdb backend = smbpasswd
		os level = 64
		socket options = TCP_NODELAY
		preferred master = yes
		domain master = yes
		local master = yes
		log level = 1
		security = user
		domain logons = yes
		logon path = \\MOTHER\profile\%u
		logon drive = H:
		logon home = \\MOTHER\users\%u
		logon script = %u.bat
		smb passwd file = /usr/local/samba/private/smbpasswd
		unix password sync = true
		passwd program = /bin/passwd %u
		passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*passwd*successfully*changed*
		passwd chat debug = yes
		admin users = @ntadmin
		add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
%u
		printing = sysv
		printcap name = /etc/printcap
		load printers = yes
		print command = /usr/ucb/lpr -P%p -r %s
		use client driver = yes
		preferred master = yes

                [netlogon]
                path = /vols/NT/netlogon
                read only = yes
                write list = ntadmin

;share for storing user profiles..

[profile]
        	path = /vols/users/%U/roaming
        	read only = no
        	create mask = 0600
        	directory mask = 0700
        	profile acls = yes

[projects]
	guest ok = no
	read only = no
	create mask = 0775
	path=/vols/projects

[projectdocs]
	guest ok = no
	read only = no
	path = /vols/projects/management
	force create mode = 0775
	force directory mode = 0775

[trees]
	guest ok = no
	read only = no
	path=/vols/trees

[trees2]
        guest ok = no
        read only = no
        path=/vols/trees2

[users]
	guest ok = no
	read only = no
	path=/vols/users
[users2]
	guest ok = no
	read only = no
	path=/vols/users2
[reference]
	guest ok = no
	read only = no
	path=/vols/reference
[printers]
	comment = All Printers
	printable = yes
	writable = no
[support]
	guest ok = no
	read only = no
	path=/vols/support
[common]
	guest ok = no
	read only = no
	path=/vols/common
[NT]
	guest ok = no
	read only = no
	path=/vols/NT
[ATE]
	guest ok = no
	read only = no
	path=/home/ate
	force user = ate
	valid users = @ate

[source]
	guest ok = no
	read only = no
	path=/vols/src
[Virus]
	guest ok = no
	read only = no
	path = /vols/NT/Virus
[EMCO]
	guest ok = no
        read only = no
        path = /vols/NT/EMCO
[demoapps]
	guest ok = no
	read only = no
	path=/vols/demoapps