0

Our Unix systems rely on corporate AD for authentication and authorization.

We need to create a few "role" accounts, which shall not be able to login themselves, but to which other accounts (belonging to real persons) will be switching (with ksu or sudo). The accounts will also need to run cron-jobs and some daemons. The software needs access to certain network shares, so the accounts need to belong to additional groups.

How to best create such accounts in AD? I thought, I'd set both "User must change password" and "User can not change password" checkboxes to on, but the interface "helpfully" prevented me from doing so. Marking the accounts as "disabled" seems to break group-membership and keeps them unable to access the network shares...

Suggestions? Thank you!

Mikhail T.
  • 2,272
  • 1
  • 22
  • 49

1 Answers1

0

Not sure but here is my guess:

Create your account and assign it with a password make sure that "user canot change password" is selected

After that right click on your new account, select "member of" and remove it from "domain users", you still need to add it to other groups for the new account to work on whatever you need it to do

Chico3001
  • 213
  • 1
  • 10