[Samba] Making users local administrators

Terry Austin terry at crownhardware.com
Thu Mar 21 09:39:03 MDT 2013 

On 21 Mar 2013 at 11:28, Novosielski, Ryan wrote:

> Well, if you must allow them to have this access, I would make it through a separate account. There is no good reason to have users logging in daily as Administrator anymore. 

There's too much idiocy in the design of our point-of-sale/inventory 
software, and we have a deal support web site we *have* to use to run our 
business that runs on ActiveX controls in IE (and that get updated often 
enough to be a pain), and too many users who couldn't remember how to do 
that. It'd never work. Believe me, I know the hazards here. Once we start 
logging in to a domain, things will be a *lot* more secure than they ever 
have been before, with just local Windows accounts (with admin rights).

The risks are mitigated by the fact that we are a retail business, and the 
vast majority of my users are store level management (who, wile often 
clueless about computers, are generally pretty smart) who spend as little 
time as possible in the office instead of on the sales floor. They don't so 
much on the computer, even less online, and very little of that is outside 
of a very small group of web sites that are generally pretty safe. Only the 
store office computers have unrestricted internet access.

We haven't had a lot of issues. One, that I recall, in 15 years, that 
required more than a system restore to fix or affected more than one 
particular computer.
> 
> Trouble with mailing lists: you will get an opinion on what you're doing, want it or not. 

Honest, I'm surprised it took as long as it did.

Really, folks, I do know the risks. And I really have no choice.
> 
> 
> ----- Original Message -----
> From: Terry Austin [mailto:terry at crownhardware.com]
> Sent: Thursday, March 21, 2013 11:24 AM
> To: L.P.H. van Belle <belle at bazuin.nl>
> Cc: samba at lists.samba.org <samba at lists.samba.org>
> Subject: Re: [Samba] Making users local administrators
> 
> On 21 Mar 2013 at 10:29, L.P.H. van Belle wrote:
> 
> > DONT DO IT !!  
> > 
> > This is Administrators 1ste rule !! 
> > NEVER, but then NEVER giver users Administrator/PowerUser rights. 
> 
> I have no choice. There's too much stuff out of my control that requires 
> the daily user have admin rights locally.
> 
> Plus, we've beeing doing it this way for 15 years, and have never had any 
> serious issues.
> 
> > Its simpel, without Admin rights on users, you pc is about 90% more safer. 
> > if you also remove flash java adobe, you are about 99,5% safe. 
> 
> In our case, they'd be 100% safer because we'd be out of business. If I 
> don't keep things working, my replacement will.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list