Mac OS X Server,  Unix,  Windows Server,  Windows XP

Delegating DirAdmin to Windows Clients

The default behavior of a Windows Server NT4 through 2008 based domain is to allow a Domain Admin account to manage Windows clients. A number of environments have been moving over to using the PDC emulator on Mac OS X as a means of replacing aging Windows servers. One of the biggest annoyances is that the Open Directory administrative accounts they use to bind the Windows computers to are not local administrators. When you bind Mac OS X to Active Directory you can specify which Active Directory groups are administrators of Mac OS X client systems so you would imagine you can do the same thing on an OS X Server providing directory services to Windows computers. You can.

This comes into play based on Samba Relative Identifiers (SMBRID). When you create a group you need to add an attribute for SMBRID. You can do this in Workgroup Manager or using dscl:

If you notice, we used the SMBRID of 512.  You could also use any of the following to emulate the corresponding Windows functionality:

  • Domain Administrator – 500
  • Domain Guest – 501
  • Domain KRBTGT – 502
  • Domain Admins – 512
  • Domain Users – 513
  • Domain Guests – 514
  • Domain Computers – 515
  • Domain Controllers – 516
  • Domain Certificate Admins – 517
  • Domain Schema Admins – 518
  • Domain Enterprise Admins – 519
  • Domain Policy Admins – 520
  • Builtin Admins – 544
  • Builtin users – 545
  • Builtin Guests – 546
  • Builtin Power Users – 547
  • Builtin Account Operators – 548
  • Builtin System Operators – 549
  • Builtin Print Operators – 550
  • Builtin Backup Operators – 551
  • Builtin Replicator – 552
  • Builtin RAS Servers – 553

You can create a group per required SMBRID.  Once done, you can add users into the groups and delegate administrative access in this fashion, emulating many of the options that stem from the Windows NT 4 PDC emulation features of Samba, included in Mac OS X Server’s implementation.  But if you do this, don’t go updating your smb package manually.  I’ve found that when I update fully that the SMBRID is no longer supported and I break permission delegation.