[Samba] best practice for domain admins
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 7 12:24:05 UTC 2019
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan G. Weichinger via samba
> Verzonden: woensdag 7 augustus 2019 13:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] best practice for domain admins
>
> Am 07.08.19 um 13:41 schrieb L.P.H. van Belle via samba:
> > Good one Norbert,
> >
> > And this is exacly as im doing my software installs.
> > My collega finds it very annoying. :-)
> >
> > I also added ( through GPO ) that, once your logged in the
> Domain, all software add/remove functions are disabled, even
> for Domain admins,
> > only "local - pc admins" can install software.
>
> This might get annoying if I deploy MS LAPS: separate admin-pw per PC.
>
> So I have to decide here ... (or roll out the same local-admin-pwd
> everywhere).
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
I understand why you saying that part about MS LAPS and im going to look into MS Laps more.
For now, in this case, i suggest you setup 2 accounts.
One general ( LAPS compiant) and one only for software installs.
After you installed software on the computers, you disable the "installAdmin" account and change the password.
The steps to the GPO's to create the local users and/groups.
1) Create a local admin group in AD
2) Add the needed users to the group
3) Create a new group policy to push the policy
4) Expand “Computer Configuration” -> “Policies” -> “Windows Settings “ -> “Security Settings” -> “Restricted Groups”
5) In the “Add Groups” interface you add the group you created in steps 1 and 2 above
6) Attach this policy to the OU where the computer are.
And above means, you have to think carefully if you current AD-layout works for you.
Per example.
BASE
OU=Domain controllers
OU=Computers
OU=users
Then you apply the GPO on BASE or OU=Computers ( depending on the GPO settings also! )
Or
BASE
OU=Domain controllers
OU=Computers
OU=users
OU=Company
OU=Company,OU=Users
OU=Company,OU=Computers
Then you apply the GPO on OU=Company
Or
BASE
OU=Domain controllers
OU=Computers
OU=users
OU=Company
OU=Company,OU=Department1 ( containing its users AND computers )
OU=Company,OU=Department2 ( containing its users AND computers )
Then you apply the GPO on OU=Company
and per Deparment OU=Company,OU=Department1
or OU=Company,OU=Department1
But that depends all on you AD design.
So dont rush this, think carefully about it.
Greetz,
Louis
More information about the samba
mailing list