samba - Jan 2022 - dns-DCx accounts in CN=Users

Hi,

We are wondering: is it safe to move the accounts dns-DC1 / dns-DC2 / 
dns-DC3 that exist in our samba CN=Users,DC=samdom to a different CN, 
for example to: CN=sys_accounts,DC=samdom

Reason: The contents of CN=Users is displayed in various LDAP 
addressbooks and also autocompleted in various other places in our 
network. It looks strange for our users to see these technical accounts 
listed and autocompleted.

Of course we'd rather not break anything. :-)

MJ

On 24-01-2022 16:24, mj via samba wrote:
> Hi,
>
> We are wondering: is it safe to move the accounts dns-DC1 / dns-DC2 / 
> dns-DC3 that exist in our samba CN=Users,DC=samdom to a different CN, 
> for example to: CN=sys_accounts,DC=samdom
>
> Reason: The contents of CN=Users is displayed in various LDAP 
> addressbooks and also autocompleted in various other places in our 
> network. It looks strange for our users to see these technical 
> accounts listed and autocompleted.
>
> Of course we'd rather not break anything. :-)
>
> MJ
>
>
You can.

I have split up my users like this:


CN=Users,DC=samdom
OU=Admin Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=samdom
OU=Inactive Users,OU=Noninteractive Users,DC=samdom
OU=Script Accounts,OU=Noninteractive Users,DC=samdom
OU=Service Accounts,OU=Noninteractive Users,DC=samdom

The search-root for LDAP addressbooks etc. is OU=Groupware in my situation.
Indeed I started similar to you and used the move option in samba-tool 
to moved the users around.
Now, all default AD users, service-accounts (e.g. for apache), 
script-users and also inactive-users (who left the organization but 
still own files etc. somewhere) are invisible in LDAP addressbooks.

- Kees