[Samba] best practice for domain admins

L.P.H. van Belle belle at bazuin.nl
Wed Aug 7 12:24:05 UTC 2019 

 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: woensdag 7 augustus 2019 13:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] best practice for domain admins
> 
> Am 07.08.19 um 13:41 schrieb L.P.H. van Belle via samba:
> > Good one Norbert, 
> > 
> > And this is exacly as im doing my software installs. 
> > My collega finds it very annoying. :-) 
> > 
> > I also added ( through GPO ) that, once your logged in the 
> Domain, all software add/remove functions are disabled, even 
> for Domain admins,
> > only "local - pc admins"  can install software. 
> 
> This might get annoying if I deploy MS LAPS: separate admin-pw per PC.
> 
> So I have to decide here ... (or roll out the same local-admin-pwd
> everywhere).
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

I understand why you saying that part about MS LAPS and im going to look into MS Laps more. 
For now, in this case, i suggest you setup 2 accounts. 

One general ( LAPS compiant) and one only for software installs. 
After you installed software on the computers, you disable the "installAdmin" account and change the password. 

The steps to the GPO's to create the local users and/groups.
1) Create a local admin group in AD
2) Add the needed users to the group
3) Create a new group policy to push the policy
4) Expand “Computer Configuration” -> “Policies” -> “Windows Settings “ -> “Security Settings” -> “Restricted Groups”
5) In the “Add Groups” interface you add the group you created in steps 1 and 2 above
6) Attach this policy to the OU where the computer are.

And above means, you have to think carefully if you current AD-layout works for you. 

Per example. 
BASE
	OU=Domain controllers
	OU=Computers
	OU=users
Then you apply the GPO on BASE or OU=Computers ( depending on the GPO settings also! )

Or 
BASE
	OU=Domain controllers
	OU=Computers
	OU=users
	OU=Company
	OU=Company,OU=Users
	OU=Company,OU=Computers
Then you apply the GPO on OU=Company


Or
BASE
	OU=Domain controllers
	OU=Computers
	OU=users
	OU=Company
	OU=Company,OU=Department1 ( containing its users AND computers ) 
	OU=Company,OU=Department2 ( containing its users AND computers ) 
Then you apply the GPO on OU=Company 
	and per Deparment OU=Company,OU=Department1
	or OU=Company,OU=Department1 

But that depends all on you AD design. 

So dont rush this, think carefully about it. 


Greetz, 

Louis

More information about the samba mailing list