browser icon
You are using an insecure version of your web browser. Please update your browser!
Using an outdated browser makes your computer unsafe. For a safer, faster, more enjoyable user experience, please update your browser today or try a newer browser.

Group Mapping MS Windows and UNIX

Posted by on August 21, 2008

As usual I’m allways visite my blog to read the manual from samba, because i had always got the problem from samba. So i wrote the documentation, I know I will have to come back here to find it hehehe :D

The following steps describe how to make Samba PDC users members of the Domain Admins group.

1. Create a UNIX group (usually in /etc/group); let’s call it domadm.
2. Add to this group the users that must be “Administrators”. For example, if you want joe, john, and mary to be administrators, your entry in /etc/group will look like this:


3. Map this domadm group to the “Domain Admins” group by executing the command:

# net groupmap add ntgroup=”Domain Admins” unixgroup=ntadmin rid=512 type=d

The quotes around “Domain Admins” are necessary due to the space in the group name. Also make sure to leave no white space surrounding the equal character (=).

It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as to make any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC:

root# net groupmap add rid=1000 ntgroup=”Accounting” unixgroup=acct type=d

User Default RIDs

Well-Known Entity RID Type Essential
Domain Administrator 500 User No
Domain Guest 501 User No
Domain KRBTGT 502 User No
Domain Admins 512 Group Yes
Domain Users 513 Group Yes
Domain Guests 514 Group Yes
Domain Computers 515 Group No
Domain Controllers 516 Group No
Domain Certificate Admins 517 Group No
Domain Schema Admins 518 Group No
Domain Enterprise Admins 519 Group No
Domain Policy Admins 520 Group No
Builtin Admins 544 Alias No
Builtin users 545 Alias No
Builtin Guests 546 Alias No
Builtin Power Users 547 Alias No
Builtin Account Operators 548 Alias No
Builtin System Operators 549 Alias No
Builtin Print Operators 550 Alias No
Builtin Backup Operators 551 Alias No
Builtin Replicator 552 Alias No
Builtin RAS Servers 553 Alias No

Check groupmap

net groupmap list
Remote Desktop User (S-1-5-21-2081528928-1204200937-4262487566-1000) -> remotedesk
Accounting (S-1-5-21-2081528928-1204200937-4262487566-1001) -> acct
Domain Admins (S-1-5-21-2081528928-1204200937-4262487566-512) -> ntadmin



Leave a Reply

Your email address will not be published. Required fields are marked *

:)) :) :D (LOL) :-P (woot) ;-) :-o X-( ;-( :-& (angry) (annoyed) (bye) B-) (cozy) (sick) (: (goodluck) (griltongue) (mmm) (hungry) (music) (tears) (tongue) (unsure) (highfive) (dance) (doh) (brokenheart) (drinking) (girlkiss) (rofl) (money) (rock) (nottalking) (party) (sleeping) (thinking) (bringit) (worship) (applause) 8-) (gym) (heart) (devil) (lmao) (banana_cool) (banana_rock) (evil_grin) (headspin) (heart_beat) (ninja) (haha) (evilsmirk) (bigeyes) (funkydance) (idiot) (lonely) (scenic) (hassle) (panic) (okok) (yahoo) (blush) (fish_hit) (muhaha) (muscle) (taser) (beer) (coffee) (banana_ninja) (goal) (fireworks) (smileydance) (dance_bzz) (rusian)