[Samba] best practice for domain admins
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 7 11:41:13 UTC 2019
Good one Norbert,
And this is exacly as im doing my software installs.
My collega finds it very annoying. :-)
I also added ( through GPO ) that, once your logged in the Domain, all software add/remove functions are disabled, even for Domain admins,
only "local - pc admins" can install software.
( use .\localInstallAdmin ) where "." is equal to the pc name.
That is handy, so you dont have to know the Pcname when your installing.
And dont forget, "NTDOM\Domain admins" is a member of "BUILTIN\Administrators"
"BUILTIN\Administrators" on the pc/server local, is shown as : "Administrators"
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Norbert Hanke via samba
> Verzonden: woensdag 7 augustus 2019 13:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] best practice for domain admins
> I would recommend:
> First change that Administrator password...
> For persons needing to do admin tasks: provide them a second account
> that they can use if needed so that they don't have unneeded
> while doing their everyday work.
> For the different roles (such as sw installation on PCs): set up AD
> groups and add those second accounts to these groups.
> For the sw-installation-on-PCs group: put that group into the (local)
> administrators group on all PCs using the GPO setting
> Computer Configuration --> Policies --> Windows Settings --> Security
> Settings --> Restricted Groups --> Group Name "Administrators"
> The net result: If such a power user needs to install something, he
> enters his 2nd UserID & password, does the installation, and all fine.
> He will not have a chance to break anything in the central AD.
> You can do similar things with other workstation-local groups such as
> Backup Operatos etc...
> On 07.08.2019 12:00, Stefan G. Weichinger via samba wrote:
> > Am 07.08.19 um 11:45 schrieb Rowland penny via samba:
> >> On 07/08/2019 10:25, Stefan G. Weichinger via samba wrote:
> >>> I expect the next "you should know" here.
> >>> How do you handle administrative accounts in your
> samba/windows domains?
> >>> I have to provide some accounts for the so-called admin
> users at the
> >>> customer ... in some cases they learned the main admin
> pwd (yes, bad)
> >>> and used it for installing this and that.
> >>> Add their own users to group "domain admins"?
> >>> I'd like to take away the main admin pwd from them. I have to.
> >> Rule one, never tell anyone the Administrator password
> >> Try reading about delegation on Active Directory.
> > started ...
> > will try first with setting up a specific user for the backups
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba