[Samba] AD User with Domain Admin

Robert Marcano robert at marcanoonline.com
Fri Dec 4 12:23:55 UTC 2020

On 12/4/20 4:22 AM, Marco Gaiarin via samba wrote:
> Mandi! Robert Marcano via samba
>    In chel di` si favelave...
>> As it should be, the Windows concept of being a domain administrator
>> granting you administrator on all machines is by default bad. That is why so
>> many AD security recommendations tell Windows administrators to have a
>> normal user for daily usage and switch to the domain administrator only when
>> needed, a cheaper version of sudo.
> Right. But on this i've found so many 'unofficial'  siteas and paper,
> but no one 'official' Microsoft (or by some regulatory entity like
> CERT) document on this.
> You or someone here have some pointer? Thanks.

L.P.H. van Belle added a link to another more concise page, but I 
usually point customers to [1] when they start asking to be Domain 
Admins all the time. It is a longer read that includes more than the 
reduction or protection of accounts inside the Domain Admins group.


More information about the samba mailing list