[Samba] roaming profile does ­not ­work for "Domain Adm­ins"

L.P.H. van Belle belle at bazuin.nl
Fri Oct 31 04:23:09 MDT 2014

>-----Oorspronkelijk bericht-----
>Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org] 
>Namens steve
>Verzonden: vrijdag 31 oktober 2014 9:19
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] roaming profile does ­not ­work for 
>"Domain Adm­ins"
>On 31/10/14 08:57, L.P.H. van Belle wrote:
>> Hi Steve.
>> about.. ( and i am an admin ) ;-)
>>> Why do admins think they can enter people's private areas?
>>> It's nothing
>>> to do with you. You are merely there to make sure the
>>> computers work. So
>>> do just that. You do not dictate what others put in their
>>> profile. Just
>>> leave your users alone. When they have a problem they will tell you.
>>> Otherwise stay out.
>>> Jo
>> Yes, you correct an admin has nothing to do in people's 
>private areas.
>> But in my company, users have access to very very private 
>information about people.
>> We have to do check so this isnt abused.
>Louis, I think you're talking about something else because if not then 
>you should put this information in a database, not inuser's profile.

it is...  but you know, a user can simpely copy infomation and put it there where they want.. 
but not in my network. 

>> So in your company rules and people contract they sign that 
>the know i can access everything, see everything and i check 
>verything if i suspect wrong doings..
>I do not see what right an admin has over how someone arranges their 
>desktop or what wallpaper they choose. The boss, yes. But not 
>the admin.

a desktop wall paper... haha good example, wel your correct, they are not allowed to change there wallpaper.
I put one on there desktop, why? 3 resons. 
1) a jpg can contain a virus.  ( a users is on internet, sees a nice picture, and put it in on the desktop ) 
2) and this is the best.. i always ask my users.. If your working, do you see your wallpaper... ?? 
answere, always... No.. so why put one there, its just more risk to infect a pc and slows down your logins.
if you have 10000 users and all have a 5Mb JPG as background.. do you math, just a waist of space and time.
3) all have a "company" desingned desktop, when poeple for outside walk in your room, 
its cleaner (more proffesinal look ).

>> and in my case ( and maybe miro's also ) I do dictate wat 
>can ben in there profiles or not,
>> but i just close my network and computers with lots of policies.
>Exactly. So you do not need to browse their profiles like the 
>OP says he 
>needs to. It is an intrusion on their privacy.

Correct, this should not be needed, but as proven, it is, this is a fine line between
privacy and laws. Im checked by goverments laws, so i cant just sniff in users profiles etc. 
I do need reason, and my boss telling to check.. 

>> my users can only write in there profiles folder but are 
>unable to access it them selves,
>> there "private" user folder (home), and the needed shares.
>> They are not allowed to even write on there desktop etc.
>But that is not for _you_ to decide as an admin.

Yes it is (in my case)! ( and my manager and boss do the aproval of my suggestions.)
and this is because of a very strickt way of working, where its essential that all info is in the right place.
so users home is a "private" folder, no company data should be there if so, i can check what is.
the company shares has to have all info and this should be in inline with the database info. 

>> So yes, i can understand miro's problem. He just didnt give 
>the needed info, and that cost him time.
>> but he learned from it.
>> So lets be happy for him its solved...  ( even its a commen 
>setting in the policies. )
>We are also happy for the OP, but the stance on the right of a mere 
>sysadmin to be allowed access to a profile simply because we consider 
>ourselves admins is wrong. It really is nothing to do with us. We are 
>enough of a burden on a company as it is without getting involved in 
>affairs about which we have little or no idea!

Ok so for example, you will trust all your users with ALL your personal and financial info ... everything. 
Thats my case here.. and this is why all MY (admin) work is logged and able to be checked by goverment instances.
Yes, i can access everything in my companies network, and this is also because im admin.
this is a fine trust relation i have with boss and management and they can check my work.

In our company, internet over proxy logged, email over anti spam, logged and to bad to say, yes i have to check. 
We had on incident which i saw, and if i dont check, well, then we can close the company because of things like this.
and 100 people will lose there job.. because of.. users misbehaving and being protected by law. 

So in our contract, you must sign the you wil be checked. If not, not internet, no e-mail. 

Be-ing an Admin does not mean you can just access everything when ever you want.
Be-ing an Admin is to make sure your network and data is protected and everything works ok.
That my users can work without problems and that eveybody is happy. 
That users trust me, i dont talk about things i see and be-ing an admin is that 
everybody hates and loves me. today everybody loves me...
monday everybody hates me .. well, i dont care as long everything works ok and the boss is happy,
and users trust me and they do. I've have been and admin now for about 20 years so i know how this works.

but yes privacy is a very "scarry" thing for an admin... 
im living in an "grey" world here, walking on thin lines, check by goverment laws.. 

and you know, i totaly agree with you Steve, but we cant deside if an admin should have of not have 
access to users data. 
It all depends on what kind of data and how it effects others if this data can be access in public (generaly).

and what is this about ">T. H. 1. Robin" i dont know that. 


>T. H. 1. Robin
>> Greetz,
>> Louis
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list