“Privileged” accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform actions in Active Directory and on domain-joined servers.
In a Samba member server three privileges are used:
In our scenario, we will be using Windows ACLs to control permissions and security of shares, but before we do, we need to grant the SeDiskOperatorPrivilege privilege on (and all) the Samba server that hold shares. This privilege is needed to interact with the “permissions” tab of the share, when configuring from “Computer manager”. See Configure Shares on a a Member Server from Windows
# If you want to grant the privilege to an additional group, for example "Share Managers" net rpc rights grant "MAD\Share Managers" SeDiskOperatorPrivilege -U "MAD\administrator" Enter MAD\administrator's password: Successfully granted rights.
You need to assign this privilege to users or groups in a print server in order to manage printers. Let's set up the privilege for Admins and the group “Printer Managers”
# If you want to grant permissions to an additional group, for example "Printer Managers" net rpc rights grant "MAD\Printer Managers" SePrintOperatorPrivilege -U "MAD\administrator" Enter MAD\administrator's password: Successfully granted rights.
Other interesting permission to assign is SeMachineAccountPrivilege , so users can add workstations to domain. Let's set up the privilege for Admins and the group “Workstation Managers”.
# If you want to grant permissions to an additional group, for example "Workstation Managers" net rpc rights grant "MAD\Workstation Managers" SeMachineAccountPrivilege -U "MAD\administrator" Enter MAD\administrator's password: Successfully granted rights.
net rpc rights list privileges SeDiskOperatorPrivilege -U "MAD\Administrator" SeDiskOperatorPrivilege: MAD\Share Managers BUILTIN\Administrators net rpc rights list privileges SeMachineAccountPrivilege -U "MAD\Administrator" SeMachineAccountPrivilege: MAD\Workstation Managers BUILTIN\Administrators net rpc rights list privileges SePrintOperatorPrivilege -U "MAD\Administrator" SePrintOperatorPrivilege: MAD\Printer Managers BUILTIN\Administrators
Caponato's Samba notebook. Start here or else Main menu