Samba AD Administrator Group

Mattallyc · October 11, 2016, 12:03pm

NethServer Version: 7.2.1511
Module: Users and Groups

Hi,

I’ve been playing with the AD domain controller in NS7, with an eye to replacing an existing Windows 2003 DC. Setup is straightforward and users can connect to the NS AD DC.
One issue I have is adding users to the Domain Admin group. There is no admin group listed under Users and Groups, but if I try to create a group called ‘administrators’ I get an error that it couldn’t be created as it already exists.
Is there a bug that’s preventing the admin group from appearing in the Groups list or am I doing something wrong?

davidep · December 17, 2016, 10:29pm

It is not a bug, it’s a feature

It has been deliberately hidden!

As workaround, you could try to remove the “Administrators” line from

/etc/nethserver/system-groups

I don’t know if this break something else… /cc @dev_team

Mattallyc · October 17, 2016, 10:17am

Thanks for the suggestion Davide, I’ve not tried it though as you were unsure of the consequences and I didn’t want to break things!

I think I’ve found a better way though. On a Windows PC I installed RSAT, which (among other things) lets me do all the things I need to do to administer Active Directory settings. Using RSAT I can get in there and add users to the admin group and do other nice things like force a password reset on next login etc. Basically it appears to have the same functionality as using the ‘Manage Active Directory Users and Groups’ option on Windows server 2003.

Download RSAT here: https://www.microsoft.com/en-gb/download/details.aspx?id=45520

Setup guide here: https://www.itsupportguides.com/windows-7/windows-7-how-to-install-the-active-directory-users-and-computers-tools/

I have another query relating to this method though. If I add a new user via RSAT then look at the user in ‘Users and Groups’ on NS there is a key shaped icon next to the user name. It appears I can still edit the user (it doesn’t appear to be locked as the key would indicate). Any idea what the key icon signifies?

Thanks again.

davidep · October 17, 2016, 10:31am

IIRC it can be in a “locked” state, or has an expired password or no password at all.

alefattorini · October 17, 2016, 10:33am

That would be the main goal here I guess.
Thanks for sharing! I think we should collect all this guides about AD administration @docs_team

Mattallyc · October 17, 2016, 10:52am

Yep that was it, an expired password. Once the password was changed the key disappeared. Nothing to worry about then . I don’t think I have any further Active Directory issues… things are looking promising indeed!

alefattorini · October 25, 2016, 1:45pm

I love that, how and where should we document it? @docs_team