[Samba] power users group

Lorenzo Delana lorenzo.delana at gmail.com
Fri Mar 16 15:59:36 UTC 2018 

I known that, Thank you for the advise, I ended in the following dc config:
- Administrator ( real random password len 24 )
- itadmin member of "Domain Admins" ( real random password len 12 )
- custom "Local Admins" group with some users able to install software ( 
like local pc administrators ) (reference 
<http://cbudde.com/2014/11/adding-users-to-the-local-administrators-group-using-group-policy/>)

the purpose of itadmin user here is to be used only by IT administrator 
from secure hosts and has a password more easy to digit even w/out 
copy/paste or other tools and with a defined password expiration.
the purpose of users in Local Admins group is to allow local pc software 
installation w/out the need of itadmin intervent and ensure no AD 
modification can be done.

On 15/03/2018 17:34, Harry Jede wrote:
>
> Am Donnerstag, 15. März 2018, 16:21:24 CET schrieb Lorenzo Delana via 
> samba:
>
> > I just installed a samba4 dc and I see that Power Users group is
>
> > missing, is possible to create that group so that a workstation
>
> > joined in the domain can install software using users belonging to
>
> > that group and how it can be done?
>
> >
>
> > actually simply creating a group with that name doesn't get any
>
> > privilege to that group users.
>
> read:
>
> https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
>
> or here:
>
> SID: S-1-5-32-547 Name: Power Users Description: A built-in group. By 
> default, the group has no members. Power users can create local users 
> and groups; modify and delete accounts that they have created; and 
> remove users from the Power Users, Users, and Guests groups. Power 
> users also can install programs; create, manage, and delete local 
> printers; and create and delete file shares.
>
> the net command may used to create the group and assign privilegs.
>
> HINT:
>
> Power Users can much more then installing software. i.e. managing 
> users and groups.
>
> This is the reason why MS has removed "Power Users" from default install.
>
> IT IS REALLY RISKY.
>
> But if you want, it is your choice.
>
> -- 
>
> Gruss
>
> Harry Jede
>

More information about the samba mailing list