[Samba] AD User with Domain Admin
Robert Marcano
robert at marcanoonline.com
Fri Dec 4 12:23:55 UTC 2020
On 12/4/20 4:22 AM, Marco Gaiarin via samba wrote:
> Mandi! Robert Marcano via samba
> In chel di` si favelave...
>
>> As it should be, the Windows concept of being a domain administrator
>> granting you administrator on all machines is by default bad. That is why so
>> many AD security recommendations tell Windows administrators to have a
>> normal user for daily usage and switch to the domain administrator only when
>> needed, a cheaper version of sudo.
>
> Right. But on this i've found so many 'unofficial' siteas and paper,
> but no one 'official' Microsoft (or by some regulatory entity like
> CERT) document on this.
>
> You or someone here have some pointer? Thanks.
>
L.P.H. van Belle added a link to another more concise page, but I
usually point customers to [1] when they start asking to be Domain
Admins all the time. It is a longer read that includes more than the
reduction or protection of accounts inside the Domain Admins group.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
More information about the samba
mailing list