Our Unix systems rely on corporate AD for authentication and authorization.
We need to create a few "role" accounts, which shall not be able to login themselves, but to which other accounts (belonging to real persons) will be switching (with ksu
or sudo
). The accounts will also need to run cron-jobs and some daemons. The software needs access to certain network shares, so the accounts need to belong to additional groups.
How to best create such accounts in AD? I thought, I'd set both "User must change password" and "User can not change password" checkboxes to on, but the interface "helpfully" prevented me from doing so. Marking the accounts as "disabled" seems to break group-membership and keeps them unable to access the network shares...
Suggestions? Thank you!