[Samba] Just stop it with the "Domain Admins" nonsense

Rowland Penny rpenny at samba.org
Fri Mar 15 12:20:49 UTC 2019

On Fri, 15 Mar 2019 11:57:19 +0000
Zendal Darkman <zendal.darkman at gmail.com> wrote:

> Actually it is okay to criticise without giving a solution, if
> alternate action is evident. 

It obviously isn't evident, or the wiki wouldn't have been written in
the way it is.

>HOWEVER, "upon reflection" the tone of the message was wrong, and I
>apologise for it.  

Apology accepted ;-)

>I acknowledge the
> great work the people in this list do, and you deserve thanks, not
> flippancy. I would suggest that for large organisations using "domain
> admin" accounts for day to day configuring/administering on member
> servers is not common. Usually a local admin would be used, or more
> commonly a domain user account is given admin privileges.

A local admin wouldn't be able to administrate anything in the domain,
because they wouldn't be a domain user. I thought the whole idea behind
the Domain Admins group was it is a group to add users to give them
admin rights, or am I missing something ? You could also use
'Administrators' in the same way.

> The user.map can be used !root = SAMDOM\<user1> & net rpc rights grant
> "SAMDOM\<user1>" SeDiskOperatorPrivilege -U "SAMDOM\<user1>" (I grant
> it to a user rather than group, which I admit is not ideal)

You are also using it wrong, it should (in my opinion) only map
Administrator to root, not spurious users to root.

> However when I did that I did get some errors not being able to read
> to the security tab (because user1 was mapping to root???), I had to
> use a second account (user2) with sediskoperatorpriveleges, for
> things to work. (Perhaps I should have removed user.map?)

No, just use it correctly.

> As I type I am extremely conscious I could be wrong and demonstrating
> my ignorance, which causes further embarrassment to me. I am not a
> "linux" person but am called on by the supposed linux admins to do
> their job and use my admin account at 11pm at night to fix a broken
> domain membership .... "-u SAMDOM\admin" (they have rights to add
> machines to an OU, and cant be bothered to "man net").

Even easier, 'net help ads join' produces amongst its output, this:

   createcomputer=OU     Precreate the computer account in a specific OU.
                         The OU string read from top to bottom without RDNs
                         and delimited by a '/'.
                         E.g. "createcomputer=Computers/Servers/Unix"
                         NB: A backslash '\' is used as escape at multiple
                             levels and may need to be doubled or even
                             quadrupled. It is not used as a separator.

I don't really see any reason here to alter the wiki, perhaps Louis
has further thoughts, he knows more about Windows than I do.


More information about the samba mailing list