Devin Acosta via FreeIPA-users wrote: > > I am hoping to see if someone can tell me what I either need to change > or update to get it so that FreeIPA doesn't automatically keep adding > all new users that is created automatically to the admin group. I > inherited this installation of FreeIPA and so far haven't been able to > figure out what either got changed or how to disable this behavior? I am > running the latest FreeIPA 4.4 on CentOS 7.3. > > Any help would be greatly appreciated. Probably the default users group. Try: $ kinit admin $ ipa config-show |grep 'Default users group' Can be changed using: $ ipa config-mod --defaultgroup ipausers You can probably do this in the UI as well but I'm a CLI guy. rob

Look at automember rules. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: Devin Acosta via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; Datum: 02-06-17 20:13 (GMT+01:00) Aan: Rob Crittenden <rcritten(a)redhat.com&gt; Cc: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt;, Devin Acosta <linuxguru.co(a)gmail.com&gt; Onderwerp: [Freeipa-users] Re: FreeIPA (adding all new users to admin group by default?) Rob, That is what confuses me, I show that the default users group is "ipausers", however when I added an account which I just tested it added to admins group. Anything else that could be making it add it to the "admin" group? [root@ipa01 ~]# ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/bash * Default users group: ipausers* Default e-mail domain: m451.tech Search time limit: 2 Search size limit: -1 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=M451.TECH Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u: s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC [root@ipa01 ~]# ipa user-add testuser-devin First name: Devin Last name: Acosta --------------------------- Added user "testuser-devin" --------------------------- User login: testuser-devin First name: Devin Last name: Acosta Full name: Devin Acosta Display name: Devin Acosta Initials: DA Home directory: /home/testuser-devin GECOS: Devin Acosta Login shell: /bin/bash Principal name: testuser-devin(a)M451.TECH Principal alias: testuser-devin(a)M451.TECH Email address: testuser-devin(a)m451.tech UID: 34375527 GID: 34375527 Password: False *Member of groups: ipausers, admins* Roles: IT Security Specialist, sec_netops2, helpdesk, IT Specialist, User Administrator, Security Architect, ipa_join Indirect Member of role: ipa_join, helpdesk, IT Security Specialist, sec_netops2, IT Specialist, Security Architect, User Administrator Kerberos keys available: False On Fri, Jun 2, 2017 at 11:02 AM, Rob Crittenden <rcritten(a)redhat.com&gt; wrote: > Devin Acosta via FreeIPA-users wrote: > > > > I am hoping to see if someone can tell me what I either need to change > > or update to get it so that FreeIPA doesn't automatically keep adding > > all new users that is created automatically to the admin group. I > > inherited this installation of FreeIPA and so far haven't been able to > > figure out what either got changed or how to disable this behavior? I am > > running the latest FreeIPA 4.4 on CentOS 7.3. > > > > Any help would be greatly appreciated. > > Probably the default users group. Try: > > $ kinit admin > $ ipa config-show |grep 'Default users group' > > Can be changed using: > > $ ipa config-mod --defaultgroup ipausers > > You can probably do this in the UI as well but I'm a CLI guy. > > rob >