Let's say you have a piece of software that requires a user to be named 'Administrator' on your directory and that that user has administrative rights.
ClearOS does not implement a user named 'administrator' because there is standards confusion that can exist between Administrator (the local machine account of an MS Windows workstation or server running in domain member mode) and Administrator (the name of the top level administrative user on a windows domain). On ClearOS, we get around the confusion by NOT implementing that user. Additionally, most domain administrators follow the best practice of intentionally changing the domain administrator account named 'administrator' so some other name. So, on ClearOS, this account is named 'winadmin'.
But the scenario above does exist and the first thing to do is to reprimand the designer of the software that would limit their product to use only the account named 'Administrator' because it goes against best practices. Please contact your software vendor and tell them that their software is broken. If they complain, direct them to this, or this, or this, or this article.
Many sites rename the Windows administrator account for security reasons. The account name has NOTHING to do with the rights and privileges that the administrator account has. The name serves only as a user-friendly name. MS Windows sells into many different geographies - each has its own locale, each has its own name for the Administrator account. The French name is “Administrateur” - thus any software that REQUIRES the name to be “Administrator” would at best not play well in international markets.
Adding a normal user and adding to Domain Admins group does not work as I cannot login to a domain computer if I call the account Administrator (every other username works). When logged in as a different user and trying to run as administrator it returns an unknown user error.
So, how would I add a user called administrator that works?
How would I modify the winadmin name to be Administrator?
The winadmin account IS the Windows Administrator account. It has the RID=500, which means “Administrator”. This is exactly the account name that should be used.
Since you really press the requirement to create an account called “Administrator” that presumably MUST have administrative rights and privileges in the MS Windows environment, here you go:
1. Edit /etc/samba/smbusers: Comment out this line “root = administrator admin” The edited line should be:
#root = administrator admin
2. Using the Webconfig interface add a user account called “administrator” (case sensitive). In adding this account be sure to add this account as a member of the Domain Admins group.
3. Set the “administrator” account so that its RID is 500, by executing:
pdbedit -r -U 500 administrator
4. Change the winadmin RID so it is NOT 500, by executing:
pdbedit -r -U 2500 winadmin
5. It may also be necessary to grant the “administrator” account appropriate rights and privileges as follows:
net rpc rights grant "DOMAINNAME\Admininstrator" SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege -Uadministrator%"password"
Now that all this is said, I find myself needing to say that you can change the default administrative account of ClearOS in order to improve the security of ClearOS by renaming 'winadmin'. You could also use this method above, but don't call the new account 'administrator'. I might have to bang my head against a wall if you do.
- John H Terpstra
- Dave Loper