Only allow SeMachineAccountPrivilege on machine accounts

Gerald (Jerry) Carter jerry at
Tue Jan 25 14:33:10 GMT 2005

Hash: SHA1

Andrew Bartlett wrote:
| Currently, the user holding the MachineAccount priv is as
| powerful as the domain admin, as they can reset passwords
| at will.
| This patch restricts their operation to resetting only
| the passwords of workstations.  This better matches what
| I was expecting, and I hope it matches windows better.

Looks good.  Thanks andrew.

| The code in the create_user function also needs a similar
| treatment - a person with only machineAccount privileges
| should not be able to create user, DC or any other
| accounts, just because they chose a $ termination.
| I realise we have a comment from JFM in there, but I
| can't see how to securely handle the circumstance it
| describes, and I've never seen it myself.

I'd err on the side of caution I think.  Tighten the noose
and loosen it as necessary.  I'll look at it today.

Thanks again.

cheers, jerry
Alleviating the pain of Windows(tm)      -------
GnuPG Key                -----
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list