[Samba] Making users local administrators

Terry Austin terry at crownhardware.com
Thu Mar 21 10:03:27 MDT 2013 

On 21 Mar 2013 at 11:50, Michael Leone wrote:

> On Thu, Mar 21, 2013 at 11:43 AM, Gregory Sloop <gregs at sloop.net> wrote:
> 
> > ML> Well, it's a lot more work, but you could use the Windows utilities
> > ML> FILEMON and REGMON to monitor what file and registry access your
> > ML> applications require on the local machine, and then grant the local
> > ML> user access to just those needed items, rather than across-the-board
> > ML> full local administrator access.
> >
> > For goodness sake.
> >
> > I think it's appropriate to remember that the networks and
> > workstations were put there, NOT for the enjoyment and ability of
> > network admins to insist on technical purity and "rightness," but to
> > get work done.
> >
> > If "technical purity" becomes the paramount focus, IMO, we're doing it
> > wrong.
> >
> > Finally, sometimes political considerations, among others also
> > outweigh technical purity. And frankly, given the environment and time
> > constraints, it may be MORE work and cost to figure out what's needed
> > to not allow local admin privs.
> >
> > So, please. Go ahead and warn if you like, but offer some help, don't
> > just abuse the poster for making a decision that's practical for their
> > particular situation.
> 
> I, for one, was not "abusing" anyone. I was offering alternatives to a
> user who may or may not know of them. Not everyone is conversant with
> all utilities or practices, especially cross-platform.
> 
OK, I said I wasn't going to comment on this any more, but I feel 
compelled:

I do *not* feel abused. I appreciate the support, Gregory, but at this 
point, I think you feel more put out on my behalf than I do. Even if I know 
what everyone is saying, there are other people on this list who don't, and 
should hear it before they see me do something that might be an acceptable 
(or necessary) risk _for me_, and think that means they can do the same 
thing, too, because it would be *so* much easier than doing it right.

What I'm doing is a policy decision that hinges on more than technical 
criteria, and is the sort of thing that should *never* be done lightly. 
Some of the "this is a bad idea "responses" (not Gregory's) have been easy 
to take in a more negative (even strident) way than, I suspect, they were 
intended. Such is the nature of a text only form of communication. Anybody 
who doesn't have a thick skin should avoid the internet.

Now can we *please* drop this? I really don't want to be the guest of honor 
at a flamewar over something that I not only didn't mind, but appreciated.

More information about the samba mailing list