[Samba] AD User with Domain Admin

L.P.H. van Belle belle at bazuin.nl
Fri Dec 4 08:48:15 UTC 2020 

This is/should be "comon" knowledge/sence.. Really (not offending here) .. 

Now, Im a Admin, but on my pc I am just a regular user as any other in the company. 
Even my friends at house, of which i do some pc maintenance, works as User. 
Why.. 

Its SOOOOO simple to infect a pc when the user runs with admin rights. 
In the past, i had to go monthly to my mates to fix there pc's.  
So, after a few times, i "order" them to work as User or pay me for my time for these fixes. 
And they now work as normal User on there pc and... 

Resulting 90% less problem, so im happy, less waisted time for me, they happy less problems, 
And as long the run it like this, my friend dont need to pay my anything.. 
Win win ;-) 

And even on home pc's i set things like this where i can. 
https://www.lepide.com/blog/top-10-most-important-group-policy-settings-for-preventing-security-breaches/ 

Now, on the question "is there any official statement"  
There is this : 
https://docs.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-and-reduce-the-number-of-accounts-in-highly-privileged-administrative-groups 

So, how do i handle this in the office, since im just the same as any Admin.. 
I have 1 windows pc, and that one is the only one i use and login as Administrator, not my work pc, a different one. 
This one holds all needed tools, extra stuff etc.  

My username is added in a "user-maint" group, and i gave delegation rights so i "can" maintain user/groups from my own account. 

I hope above helps you. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 4 december 2020 9:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD User with Domain Admin
> 
> Mandi! Robert Marcano via samba
>   In chel di` si favelave...
> 
> > As it should be, the Windows concept of being a domain administrator
> > granting you administrator on all machines is by default 
> bad. That is why so
> > many AD security recommendations tell Windows 
> administrators to have a
> > normal user for daily usage and switch to the domain 
> administrator only when
> > needed, a cheaper version of sudo.
> 
> Right. But on this i've found so many 'unofficial'  siteas and paper,
> but no one 'official' Microsoft (or by some regulatory entity like
> CERT) document on this.
> 
> You or someone here have some pointer? Thanks.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list