[Samba] best practice for domain admins

Norbert Hanke norbert.hanke at gmx.ch
Wed Aug 7 11:06:14 UTC 2019


I would recommend:

First change that Administrator password...

For persons needing to do admin tasks: provide them a second account
that they can use if needed so that they don't have unneeded privileges
while doing their everyday work.

For the different roles (such as sw installation on PCs): set up AD
groups and add those second accounts to these groups.

For the sw-installation-on-PCs group: put that group into the (local)
administrators group on all PCs using the GPO setting
Computer Configuration --> Policies --> Windows Settings --> Security
Settings --> Restricted Groups --> Group Name "Administrators"

The net result: If such a power user needs to install something, he
enters his 2nd UserID & password, does the installation, and all fine.
He will not have a chance to break anything in the central AD.

You can do similar things with other workstation-local groups such as
Backup Operatos etc...


On 07.08.2019 12:00, Stefan G. Weichinger via samba wrote:
> Am 07.08.19 um 11:45 schrieb Rowland penny via samba:
>> On 07/08/2019 10:25, Stefan G. Weichinger via samba wrote:
>>> I expect the next "you should know" here.
>>> How do you handle administrative accounts in your samba/windows domains?
>>> I have to provide some accounts for the so-called admin users at the
>>> customer ... in some cases they learned the main admin pwd (yes, bad)
>>> and used it for installing this and that.
>>> Add their own users to group "domain admins"?
>>> I'd like to take away the main admin pwd from them. I have to.
>> Rule one, never tell anyone the Administrator password
>> Try reading about delegation on Active Directory.
> started ...
> will try first with setting up a specific user for the backups

More information about the samba mailing list