>
> 2) Using NetInfo tools (NetInfo Manager in my case) to add the domain
> user to the 10.4.3 server's local admin group did allow the domain-
> based user to administer the server, but the resulting account
> behaved strangely within Workgroup Manager, with the domain-based
> user apparently able to make changes to other domain-based accounts.
> Workgroup Manager was unable to actually save the changes that it
> made, but the fact that WGM even appeared able to do so disturbed the
> customer's IT staff. I conclude that this probably isn't a good
> approach.
IIRC, WGM isn't so bright. It assumes that if a user is a member of a
group named "admin" that the user should have full admin access. As you
found out, DACLs can keep the user from doing anything stupid, but it can
be disconserting.
WGM does support some limits, but they are added into a schema field,
AdminLimits, that you probably don't have in your AD. (Also note that
these are WGM limits only. Tools like dscl allow unfetterd access if the
user is a domain admin.)
Josh
www.afp548.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
