When a member server is joined to one domain in a forest, should members of other-dom\domain admins be Administrators

Richard Sharpe realrichardsharpe at gmail.com
Tue May 1 17:35:10 MDT 2012

On 5/1/12, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2012-05-01 at 14:25 -0700, Richard Sharpe wrote:
>> Hi,
>> When a member server, say SRV1 joins DOM1.someforest.local, should a
>> member of OTHERDOM.DOM1.someforest.local also have membership of
>> BUILTIN\Administrators on the  member server?
> As far as I understand it, no.  Forest admins might of course, but
> domain admins are per-domain.  (Of course, the real security boundary is
> the forest, and any domain admin could subvert their own server and take
> over the forest, but just don't tell the auditors...).

Yeah, I think my question was a badly posed as well.

The real issue is that people who want to be able to backup to the
storage on the member server were expecting that using Administrator
from any domain in the forest would work, and of course it does not.
(Trusts mean that you can be authenticated, so that much is easy.)

What they really need is a universal group that the appropriate people
are members of, and an appropriate set of ACEs in the ACL on the root
of the share.

Richard Sharpe

More information about the samba-technical mailing list