Koozali.org formerly Contribs.org

win2k/linux group permissions - problem with local admin gro


win2k/linux group permissions - problem with local admin gro
« on: December 17, 2001, 08:14:03 PM »
I have a serious problem, my network users are logging into their Win2k systems via my domain logon to the SME server - and they have Administrator rights on the local machines!?!  (gulp)

I have NO idea how this happened.  This server was initially a ESSG 4.1.2 machine, which was upgraded to SME V5.

The server is running as the Domain master, and there are no other 2k/NT servers on the network.  Only Win2k pro workstations connecting to the SME server for domain authentication.

When I try to remove the group (below) in order to remove the users from the local machine Administrator group I get the error below:

This group is listed in Users and in Administrators on the local machine:

Local Users and Groups (Window)

The folowing error occurred while attempting to save properties for group  Administrators on computer BENTCREEK006:

"A member could not be added to or removed from the local group because the  member does not exist."

This SME server is running Samba 2.2.2, without any other apparent problem outside if this serious security issue.  I also have setup the "domain admin group = @dom_admins" in the samba.conf file templates.

Has anyone else run into this issue?  Any and all ideas/response are welcome, thanks.


Ryan Sutton

Re: win2k/linux group permissions - problem with local admin
« Reply #1 on: December 19, 2001, 10:49:28 PM »
I have been playing with samba 2.2.2 at home with a Win2k box.  I realized exactly what you did.  After some time, it is not possible to remove those groups without leaving the domain.  I fixed this by:

-join workgroup
-login in as local admin and clean up all non microsoft groups from all global groups
-rejoin the e-smith domain
-immediately go into user manager and remove the account added to the administrators group.  I would then put the root account from the linux domain in the administrators group so you can "administrate" and use NT admin tools from a remote location (like going into C$).
-The linux/user/group is also put in Power users on a win2k box, which I deleted and added to the regular users group.  

Good Luck

Patrick Basile

Re: win2k/linux group permissions - problem with local admin
« Reply #2 on: January 15, 2002, 06:41:16 PM »

Thanks for your response; however, when I followed your instructions the group 'THEBRIDGES\unix_group.2147483404' still showed up in the local Administrators group AND the local Users group AFTER rejoining the domain!?!?  Any ideas?

Runnning SME V5 and Samba 2.2.2, as I said in the first post.  This was NOT a problem under ESSG 4.1.2 and Samba 2.2.1a - wonder what changed?  I guess this is a Samba problem?

Hope others might have similar stories and solutions, thanks.