[Samba] Running GPMC with a user who is a member of Domain Admins
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 7 07:42:51 UTC 2021
On the question, what qualifies a user as Administrator?
In our network, nobody is allowed to do regular work, when your having Adminsitrator rights.
Your working or being able to change security settings, install software and hardware, access all files on the computer, and make changes to other user accounts.
This all is security problem when your working with Adminsitrative rights.
but to make things bit more easy..
- i have a "folder managers group" where i put users in that are allowed to
Create new "bases/department" folders and set rights on it.
- I have a "user managers group",.. these users can create/change new users.
So, > Ok, but what qualifies a user as Administrator?
Nobody. Im not the Adminsitrator in my network, not my boss, not my manager.
Only the onces that might need it, have the passwords, ^^^^^ and ^^^^
> -----Oorspronkelijk bericht-----
> Van: Stefan Bellon [mailto:bellon at axivion.com]
> Verzonden: woensdag 7 april 2021 9:09
> Aan: L.P.H. van Belle via samba
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Running GPMC with a user who is a member of Domain
> On Wed, 07 Apr, L.P.H. van Belle via samba wrote:
> > Because a "user" is not an "administrator"
> > You should not "work" with Adminsitrator rights, thats more what i
> > mean.
> > Keep this separated.
> > I work on my network as user XXXXX..
> > if i must do Administrative tasks, i login as Administrator.
> Ok, but what qualifies a user as Administrator?
> In a environment where you are not the only administrative person, you
> certainly do not want to suggest that every administrative user logs in
> with the same "Administrator" account, sharing its password. I see many
> reasons not to do this (safety, practicability, traceability, ...).
I have auditing on Adminsitrator logins, no Adminstrator login allowed without any support ticket in our ticket system.
And yes, my own user account does not have any extra privileges..
in my lan my user account is just the same as any, except...
Im member of the "folder managers" and users managers, to easy it a bit.
And for all other task, i do login on a separated PC as Adminsitrator.
Also, im not even at home on my own pc working with adminsitrator rights.
Im also a normal user.. seen to much on how easy it is to get shit on you pc.
> So, the question remains: What's wrong with creating specific
> "administrative" users and then making them members of the "Domain
> Admins" group? And if that's really a bad idea, how do you do it
Well, it is a really bad idea, but im not the one to say your not allowed to todo, it my "Advice" not todo it.
>From what i showed. Try if you can split up the "adminstrative tasks" and make groups if them, my tip to everybody is, make group, everwhere for everything.. once thats setup, all you need todo is add/remove users from groups, so that said.
- AD/user/group managers.
- File and Folder Managers.
- Printer Managers
Things like that.
Installing/removing software => Administrator task.
changing security settings => Administrator task.
This is also a good read.
i think about 99% of whats shown in there, im applying here.
I hope this helps you a bit.
so, the very short version of why not working as Administator rights.
I can give you 1 website, you go visit it, and it will install software on your computer and i can take it over.
Yeah, that simple, no virusscanner will detect it because its all using normals software, and nice part if it is. Windows 10 helps here.
because in windows 10, you "can" install software in you own environment.
Thats in my opinion a bad part of windows 10, but because MS is doing this.
If that users gets infected, its not infecting the whole system so recovery is more easy..
I hope help a LOT of people in understanding why you should never run/work
As an Administrator
More information about the samba