samba - Sep 2005 - Administrators and Users Rights for Windows workstations

Hello,

I having a problem with rights in Windows workstations. I want that all 
users can be administrators of yours stations when they are logged in your 
stations, but I don't want that they can see the share C$ of other stations.
They can see this because they are administrators of the domain.
They have primary group "Domain Admins". If I try put the users on 
"Administrators" group, they can't logon. If I try put them on
"Domain
Users" group, they aren't administrators. If I put them in
"Administrators"
(primary group) and "Domain Users", they aren't administrators.
The only
possibility for the users log as administrators is that they are inserted in 
"Domain Admins" group.
The problem is the C$. We thinking about use a script to remove this share 
from Windows, but I'm not sure about if this solution is the best.
Does someone know about any solution for this problem?

I'm using samba 3.0.14 + LDAP

Thanks

Edgar

> I having a problem with rights in Windows workstations. I want that all
> users can be administrators of yours stations when they are logged in your
> stations, but I don't want that they can see the share C$ of other
> stations.
> They can see this because they are administrators of the domain.
> They have primary group "Domain Admins". If I try put the users
on
> "Administrators" group, they can't logon. 
Since this is the more 'proper' way to do it, lets find out why they
can't
log in under this condition.  What kind of errors do you get here?
> If I try put them on "Domain
> Users" group, they aren't administrators. If I put them in
> "Administrators"
> (primary group) and "Domain Users", they aren't
administrators.
How are you making this their primary group??  Administrators should be a
local group and you shouldn't be able to make a network users's primary
group a local group unless you're doing something horribly wrong (by
convention).
> The only
> possibility for the users log as administrators is that they are inserted
> in
> "Domain Admins" group.
> The problem is the C$. We thinking about use a script to remove this share
> from Windows, but I'm not sure about if this solution is the best.
> Does someone know about any solution for this problem?
> 
> I'm using samba 3.0.14 + LDAP
> 
> Thanks
> 
> Edgar
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

just disable the administrative shares.

but why give users Administrator rights thats stupid.

but use poledit and policy templates to disabled the c$ 
You can find the nessesary templates in the samba list.
there's a link 2 a packages with howto examples policy templates
etc.


Louis 
>-----Oorspronkelijk bericht-----
>Van: samba-bounces+louis=van-belle.nl@lists.samba.org 
>[mailto:samba-bounces+louis=van-belle.nl@lists.samba.org] 
>Namens Edgar Fonseca
>Verzonden: donderdag 1 september 2005 16:24
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] Administrators and Users Rights for Windows 
>workstations
>
>Hello,
>
>I having a problem with rights in Windows workstations. I want 
>that all 
>users can be administrators of yours stations when they are 
>logged in your 
>stations, but I don't want that they can see the share C$ of 
>other stations. 
>They can see this because they are administrators of the domain.
>They have primary group "Domain Admins". If I try put the users on
>"Administrators" group, they can't logon. If I try put them on
"Domain
>Users" group, they aren't administrators. If I put them in 
>"Administrators" 
>(primary group) and "Domain Users", they aren't 
>administrators. The only 
>possibility for the users log as administrators is that they 
>are inserted in 
>"Domain Admins" group.
>The problem is the C$. We thinking about use a script to 
>remove this share 
>from Windows, but I'm not sure about if this solution is the best.
>Does someone know about any solution for this problem?
>
>I'm using samba 3.0.14 + LDAP
>
>Thanks
>
>Edgar
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Hi,

The error when the user of Administrators group was log in was caused for 
other things, sorry for my precipitation. It was the nscd daemon, sometimes 
he causes strange results.

I'm thinking about the strange comportament of logged users. If the user is 
in Administrators group (created on LDAP) the user can log in but he doesn't
Administrator. He has limited privileges. I'm not sure yet, but I thing that
he is Power User. I'm really not sure.

Edgar


2005/9/1, Paul Gienger
<pgienger@ae-solutions.com>:
> 
> > I having a problem with rights in Windows workstations. I want that
all
> > users can be administrators of yours stations when they are logged in 
> your
> > stations, but I don't want that they can see the share C$ of other
> > stations.
> > They can see this because they are administrators of the domain.
> > They have primary group "Domain Admins". If I try put the
users on
> > "Administrators" group, they can't logon. 
> 
> Since this is the more 'proper' way to do it, lets find out why
they can't
> log in under this condition. What kind of errors do you get here?
> 
> > If I try put them on "Domain
> > Users" group, they aren't administrators. If I put them in 
> > "Administrators"
> > (primary group) and "Domain Users", they aren't
administrators.
> 
> How are you making this their primary group?? Administrators should be a
> local group and you shouldn't be able to make a network users's
primary
> group a local group unless you're doing something horribly wrong (by
> convention).
> 
> > The only
> > possibility for the users log as administrators is that they are 
> inserted
> > in
> > "Domain Admins" group. 
> > The problem is the C$. We thinking about use a script to remove this 
> share
> > from Windows, but I'm not sure about if this solution is the best.
> > Does someone know about any solution for this problem? 
> >
> > I'm using samba 3.0.14 + LDAP
> >
> > Thanks
> >
> > Edgar
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
> 
>