[Samba] Just stop it with the "Domain Admins" nonsense
rpenny at samba.org
Fri Mar 15 12:20:49 UTC 2019
On Fri, 15 Mar 2019 11:57:19 +0000
Zendal Darkman <zendal.darkman at gmail.com> wrote:
> Actually it is okay to criticise without giving a solution, if
> alternate action is evident.
It obviously isn't evident, or the wiki wouldn't have been written in
the way it is.
>HOWEVER, "upon reflection" the tone of the message was wrong, and I
>apologise for it.
Apology accepted ;-)
>I acknowledge the
> great work the people in this list do, and you deserve thanks, not
> flippancy. I would suggest that for large organisations using "domain
> admin" accounts for day to day configuring/administering on member
> servers is not common. Usually a local admin would be used, or more
> commonly a domain user account is given admin privileges.
A local admin wouldn't be able to administrate anything in the domain,
because they wouldn't be a domain user. I thought the whole idea behind
the Domain Admins group was it is a group to add users to give them
admin rights, or am I missing something ? You could also use
'Administrators' in the same way.
> The user.map can be used !root = SAMDOM\<user1> & net rpc rights grant
> "SAMDOM\<user1>" SeDiskOperatorPrivilege -U "SAMDOM\<user1>" (I grant
> it to a user rather than group, which I admit is not ideal)
You are also using it wrong, it should (in my opinion) only map
Administrator to root, not spurious users to root.
> However when I did that I did get some errors not being able to read
> to the security tab (because user1 was mapping to root???), I had to
> use a second account (user2) with sediskoperatorpriveleges, for
> things to work. (Perhaps I should have removed user.map?)
No, just use it correctly.
> As I type I am extremely conscious I could be wrong and demonstrating
> my ignorance, which causes further embarrassment to me. I am not a
> "linux" person but am called on by the supposed linux admins to do
> their job and use my admin account at 11pm at night to fix a broken
> domain membership .... "-u SAMDOM\admin" (they have rights to add
> machines to an OU, and cant be bothered to "man net").
Even easier, 'net help ads join' produces amongst its output, this:
createcomputer=OU Precreate the computer account in a specific OU.
The OU string read from top to bottom without RDNs
and delimited by a '/'.
NB: A backslash '\' is used as escape at multiple
levels and may need to be doubled or even
quadrupled. It is not used as a separator.
I don't really see any reason here to alter the wiki, perhaps Louis
has further thoughts, he knows more about Windows than I do.
More information about the samba