Grant users rights to manage services in Member Servers
Please note: Members of "Domain Admins" already have these privileges granted by default (as a member of BUILTIN\Administrators).
“Privileged” accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform actions in Active Directory and on domain-joined servers.
- By default, all privileges have already been granted to BUILTIN\Administrators, which includes “Domain Admins”. Chances are this is all you need, and if so, you can safely skip this section. (if using ad idmap, “Unix Admins” is a member or “Domain Admins” so you are OK there too.)
- It is recommended to grant the privilege to a group instead of individual accounts. This enables you to add and revoke the privilege by updating the group membership.
- Remember if you create a new group to assign a privilege, and if you are using the 'ad' idmap backend, you must to assign a gid Number to the new group.
In a Samba member server three privileges are used:
SeDiskOperatorPrivilege
In our scenario, we will be using Windows ACLs to control permissions and security of shares, but before we do, we need to grant the SeDiskOperatorPrivilege privilege on (and all) the Samba server that hold shares. This privilege is needed to interact with the “permissions” tab of the share, when configuring from “Computer manager”. See Configure Shares on a a Member Server from Windows
# If you want to grant the privilege to an additional group, for example "Share Managers" net rpc rights grant "MAD\Share Managers" SeDiskOperatorPrivilege -U "MAD\administrator" Enter MAD\administrator's password: Successfully granted rights.
SePrintOperatorPrivilege
You need to assign this privilege to users or groups in a print server in order to manage printers. Let's set up the privilege for Admins and the group “Printer Managers”
# If you want to grant permissions to an additional group, for example "Printer Managers" net rpc rights grant "MAD\Printer Managers" SePrintOperatorPrivilege -U "MAD\administrator" Enter MAD\administrator's password: Successfully granted rights.
SeMachineAccountPrivilege
Other interesting permission to assign is SeMachineAccountPrivilege , so users can add workstations to domain. Let's set up the privilege for Admins and the group “Workstation Managers”.
# If you want to grant permissions to an additional group, for example "Workstation Managers" net rpc rights grant "MAD\Workstation Managers" SeMachineAccountPrivilege -U "MAD\administrator" Enter MAD\administrator's password: Successfully granted rights.
Check rights
net rpc rights list privileges SeDiskOperatorPrivilege -U "MAD\Administrator" SeDiskOperatorPrivilege: MAD\Share Managers BUILTIN\Administrators net rpc rights list privileges SeMachineAccountPrivilege -U "MAD\Administrator" SeMachineAccountPrivilege: MAD\Workstation Managers BUILTIN\Administrators net rpc rights list privileges SePrintOperatorPrivilege -U "MAD\Administrator" SePrintOperatorPrivilege: MAD\Printer Managers BUILTIN\Administrators
Caponato's Samba notebook. Start here or else Main menu