[Samba] AD User with Domain Admin

Marco Gaiarin gaio at sv.lnf.it
Fri Dec 4 16:40:19 UTC 2020

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> This is/should be "comon" knowledge/sence.. Really (not offending here) .. 

I know it is a better thng, simply i'm normally use linux (with sudo)
and so effectively i run my windows account only for administrative
tasks. ;-)

> And even on home pc's i set things like this where i can. 
> https://www.lepide.com/blog/top-10-most-important-group-policy-settings-for-preventing-security-breaches/ 
> Now, on the question "is there any official statement"  
> There is this : 
> https://docs.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-and-reduce-the-number-of-accounts-in-highly-privileged-administrative-groups 

Mandi! Robert Marcano via samba
  In chel di` si favelave...

> L.P.H. van Belle added a link to another more concise page, but I usually
> point customers to [1] when they start asking to be Domain Admins all the
> time. It is a longer read that includes more than the reduction or
> protection of accounts inside the Domain Admins group.

> https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Starting from your link i've found:


where the statement is clear:

 Separate administrative accounts
 All personnel that are authorized to possess administrative privileges must have separate accounts for administrative functions that are distinct from user accounts.
    Standard user accounts - Granted standard user privileges for standard user tasks, such as email, web browsing, and using line-of-business applications. These accounts should not be granted administrative privileges.
    Administrative accounts - Separate accounts created for personnel who are assigned the appropriate administrative privileges. An administrator who is required to manage assets in each Tier should have a separate account for each Tier. These accounts should have no access to email or the public Internet.

Ah, these inferior OSes that does not have sudo... ;-)

But seems they are working on something similar...


Thanks to all.

dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list