I just installed a samba4 dc and I see that Power Users group is missing, is possible to create that group so that a workstation joined in the domain can install software using users belonging to that group and how it can be done? actually simply creating a group with that name doesn't get any privilege to that group users.
On Thu, 15 Mar 2018 16:21:24 +0100 Lorenzo Delana via samba <samba at lists.samba.org> wrote:> I just installed a samba4 dc and I see that Power Users group is > missing, is possible to create that group so that a workstation > joined in the domain can install software using users belonging to > that group and how it can be done? > > actually simply creating a group with that name doesn't get any > privilege to that group users. > >As far as I am aware, Power Users is a 'local' group, which probably explains why it doesn't get created in the domain. There is always 'Domain Admins' instead. Rowland
Hi Lorenzo,> I just installed a samba4 dc and I see that Power Users group is missing, > is possible to create that group so that a workstation joined in the > domain can install software using users belonging to that group and how > it can be done? > > actually simply creating a group with that name doesn't get any > privilege to that group users.PowerUsers group is a Windows local group. Even if you had such a group on AD, like the existing "Remote Desktop Users" group, it would not provide what you want. You can create an "MyPowerUsers" AD group and add your "power users" in that AD group, and then add that "MyPowerUsers" AD group to the Windows local "Power Users" group. That can be done easily through GPO (or any other configuration management solution). However I would rather advise you to use a software deployment solution to solve your installation needs, like SCCM, Ivanti, WAPT, etc. And I personally would advise you to give a try to WAPT Community 1.5, it was just release this week, and it rocks (I am a little bit biased as I work on that project too :-) Cheers, Denis -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil.it Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
that was exactly what I need to know as you said using a GPO I can insert MyPowerUsers samba group into the local Power Users group to allow recognize users in MyPowerUsers as local power users for the purpose of authorize software install, etc. my mistake was to think at the builtin groups ( Table 12.1 - https://www.samba.org/samba/docs/old/Samba3-HOWTO/groupmapping.html ) as domain intrinsict groups while it means local groups. thank you On 15/03/2018 16:42, Denis Cardon wrote:> Hi Lorenzo, > >> I just installed a samba4 dc and I see that Power Users group is >> missing, >> is possible to create that group so that a workstation joined in the >> domain can install software using users belonging to that group and how >> it can be done? >> >> actually simply creating a group with that name doesn't get any >> privilege to that group users. > > PowerUsers group is a Windows local group. Even if you had such a > group on AD, like the existing "Remote Desktop Users" group, it would > not provide what you want. > > You can create an "MyPowerUsers" AD group and add your "power users" > in that AD group, and then add that "MyPowerUsers" AD group to the > Windows local "Power Users" group. That can be done easily through GPO > (or any other configuration management solution). > > However I would rather advise you to use a software deployment > solution to solve your installation needs, like SCCM, Ivanti, WAPT, > etc. And I personally would advise you to give a try to WAPT Community > 1.5, it was just release this week, and it rocks (I am a little bit > biased as I work on that project too :-) > > Cheers, > > Denis > >
Am Donnerstag, 15. März 2018, 16:21:24 CET schrieb Lorenzo Delana via samba:> I just installed a samba4 dc and I see that Power Users group is > missing, is possible to create that group so that a workstation > joined in the domain can install software using users belonging to > that group and how it can be done? > > actually simply creating a group with that name doesn't get any > privilege to that group users.read: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems or here: SID: S-1-5-32-547Name: Power UsersDescription: A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. the net command may used to create the group and assign privilegs. HINT: Power Users can much more then installing software. i.e. managing users and groups. This is the reason why MS has removed "Power Users" from default install. IT IS REALLY RISKY. But if you want, it is your choice. -- Gruss Harry Jede
I known that, Thank you for the advise, I ended in the following dc config: - Administrator ( real random password len 24 ) - itadmin member of "Domain Admins" ( real random password len 12 ) - custom "Local Admins" group with some users able to install software ( like local pc administrators ) (reference <http://cbudde.com/2014/11/adding-users-to-the-local-administrators-group-using-group-policy/>) the purpose of itadmin user here is to be used only by IT administrator from secure hosts and has a password more easy to digit even w/out copy/paste or other tools and with a defined password expiration. the purpose of users in Local Admins group is to allow local pc software installation w/out the need of itadmin intervent and ensure no AD modification can be done. On 15/03/2018 17:34, Harry Jede wrote:> > Am Donnerstag, 15. März 2018, 16:21:24 CET schrieb Lorenzo Delana via > samba: > > > I just installed a samba4 dc and I see that Power Users group is > > > missing, is possible to create that group so that a workstation > > > joined in the domain can install software using users belonging to > > > that group and how it can be done? > > > > > > actually simply creating a group with that name doesn't get any > > > privilege to that group users. > > read: > > https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems > > or here: > > SID: S-1-5-32-547 Name: Power Users Description: A built-in group. By > default, the group has no members. Power users can create local users > and groups; modify and delete accounts that they have created; and > remove users from the Power Users, Users, and Guests groups. Power > users also can install programs; create, manage, and delete local > printers; and create and delete file shares. > > the net command may used to create the group and assign privilegs. > > HINT: > > Power Users can much more then installing software. i.e. managing > users and groups. > > This is the reason why MS has removed "Power Users" from default install. > > IT IS REALLY RISKY. > > But if you want, it is your choice. > > -- > > Gruss > > Harry Jede >