[Samba] Making users local administrators

Terry Austin terry at crownhardware.com
Thu Mar 21 09:52:21 MDT 2013 

On 21 Mar 2013 at 8:43, Gregory Sloop wrote:

> 
> 
> ML> On Thu, Mar 21, 2013 at 11:24 AM, Terry Austin <terry at crownhardware.com> wrote:
> >> On 21 Mar 2013 at 10:29, L.P.H. van Belle wrote:
> >>
> >>> DONT DO IT !!
> >>>
> >>> This is Administrators 1ste rule !!
> >>> NEVER, but then NEVER giver users Administrator/PowerUser rights.
> >>
> >> I have no choice. There's too much stuff out of my control that requires
> >> the daily user have admin rights locally.
> 
> ML> Well, it's a lot more work, but you could use the Windows utilities
> ML> FILEMON and REGMON to monitor what file and registry access your
> ML> applications require on the local machine, and then grant the local
> ML> user access to just those needed items, rather than across-the-board
> ML> full local administrator access.
> 
> For goodness sake.
> 
> I think it's appropriate to remember that the networks and
> workstations were put there, NOT for the enjoyment and ability of
> network admins to insist on technical purity and "rightness," but to
> get work done.
> 
> If "technical purity" becomes the paramount focus, IMO, we're doing it
> wrong.
> 
Or just doing the wrong job entirely. I know what I get paid to do, and 
it's not technical purity.

> Finally, sometimes political considerations, among others also
> outweigh technical purity. And frankly, given the environment and time
> constraints, it may be MORE work and cost to figure out what's needed
> to not allow local admin privs.

And that is the case here. I could, eventually, do it "right," but I have 
very limited resources, and a job to do. Domain log in will be a huge 
improvement over local Windows log in (and only one per computer, and that 
without a password for some really stupid technical reasons beyond my 
control). What few real risks there are, I can now control more easily as 
exclusions to the local admin rights rather than by default. I don't like 
it either, but at the end of the day, I do what the job requires, and the 
job requires that certain computer functions *work*.
> 
> So, please. Go ahead and warn if you like, but offer some help, don't
> just abuse the poster for making a decision that's practical for their
> particular situation.

I appreciate the support, but don't worry about me. I've got a pretty thick 
sink, and I knew this was coming.

I won't be commenting on how stupid this is again. I got an answer that 
works, and I appreciate the advice - and the warnings. I'd rather be told 
something I already know than miss something I didn't.

More information about the samba mailing list