[Samba] best practice for domain admins

L.P.H. van Belle belle at bazuin.nl
Wed Aug 7 11:41:13 UTC 2019 

Good one Norbert, 

And this is exacly as im doing my software installs. 
My collega finds it very annoying. :-) 

I also added ( through GPO ) that, once your logged in the Domain, all software add/remove functions are disabled, even for Domain admins,
only "local - pc admins"  can install software. 
( use .\localInstallAdmin ) where "." is equal to the pc name.  
That is handy, so you dont have to know the Pcname when your installing.

And dont forget,  "NTDOM\Domain admins" is a member of "BUILTIN\Administrators"
"BUILTIN\Administrators" on the pc/server local, is shown as : "Administrators"

Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Norbert Hanke via samba
> Verzonden: woensdag 7 augustus 2019 13:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] best practice for domain admins
> 
> Hi,
> 
> I would recommend:
> 
> First change that Administrator password...
> 
> For persons needing to do admin tasks: provide them a second account
> that they can use if needed so that they don't have unneeded 
> privileges
> while doing their everyday work.
> 
> For the different roles (such as sw installation on PCs): set up AD
> groups and add those second accounts to these groups.
> 
> For the sw-installation-on-PCs group: put that group into the (local)
> administrators group on all PCs using the GPO setting
> Computer Configuration --> Policies --> Windows Settings --> Security
> Settings --> Restricted Groups --> Group Name "Administrators"
> 
> The net result: If such a power user needs to install something, he
> enters his 2nd UserID & password, does the installation, and all fine.
> He will not have a chance to break anything in the central AD.
> 
> You can do similar things with other workstation-local groups such as
> Backup Operatos etc...
> 
> regards,
> Norbert
> 
> On 07.08.2019 12:00, Stefan G. Weichinger via samba wrote:
> > Am 07.08.19 um 11:45 schrieb Rowland penny via samba:
> >> On 07/08/2019 10:25, Stefan G. Weichinger via samba wrote:
> >>> I expect the next "you should know" here.
> >>>
> >>> How do you handle administrative accounts in your 
> samba/windows domains?
> >>>
> >>> I have to provide some accounts for the so-called admin 
> users at the
> >>> customer ... in some cases they learned the main admin 
> pwd (yes, bad)
> >>> and used it for installing this and that.
> >>>
> >>> Add their own users to group "domain admins"?
> >>>
> >>> I'd like to take away the main admin pwd from them. I have to.
> >>>
> >> Rule one, never tell anyone the Administrator password
> >>
> >> Try reading about delegation on Active Directory.
> > started ...
> >
> > will try first with setting up a specific user for the backups
> >
> >
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list