[Samba] best practice for domain admins
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 7 10:58:24 UTC 2019
Hai,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan G. Weichinger via samba
> Verzonden: woensdag 7 augustus 2019 11:25
> Aan: samba
> Onderwerp: [Samba] best practice for domain admins
>
>
> I expect the next "you should know" here.
Nah,, the previous, that was one, and you did know that..
Been there, done it.. I know how it works, somethings your just in a rush..
But i had to post it to the list so i hope others learn from it.
>
> How do you handle administrative accounts in your
> samba/windows domains?
>
> I have to provide some accounts for the so-called admin users at the
> customer ... in some cases they learned the main admin pwd (yes, bad)
> and used it for installing this and that.
This depends on what the need is.
I suggest you start reading here.
https://www.petri.com/managing-privileged-access-active-directory
And
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/access-control
Keep an eye on the SePrivilages and make sure you check these also.
Yes, its a lot to read into..
Make separated account that need admin rights and use these the configure services where needed.
This make sure you can always change the Administrator password without creating conflics in other parts of the network.
Delegate user mananement.
Where possible use GPO's to install software.
And I try todo everything ( where possible ) with GPO's.
There is a lot to read and talk about this, start simple.
For example.
https://www.petri.com/delegate-permission-reset-ad-user-account-passwords
So far,
Greetz,
Lous
More information about the samba
mailing list