[Samba] Running GPMC with a user who is a member of Domain Admins

Rowland penny rpenny at samba.org
Wed Apr 7 08:07:37 UTC 2021

On 07/04/2021 08:50, Stefan Bellon via samba wrote:
> On Wed, 07 Apr, L.P.H. van Belle via samba wrote:
>> On the question, what qualifies a user as Administrator?
>> In our network, nobody is allowed to do regular work, when your
>> having Adminsitrator rights.
> That's of course obvious.
>> Your working or being able to change security settings, install
>> software and hardware, access all files on the computer, and make
>> changes to other user accounts. This all is security problem when
>> your working with Adminsitrative rights.
> Also obviously agreed upon.
> What I do not understand - you said:
>> [...] user which was added to "domain admins" which is a big NO NO..
> My question is a technical one, not a philosophical one: How could a
> personalized user account be "administrative" if not added to the
> appropriate group, in this case "Domain Admins". So, how else should a
> user perform domain administrative tasks, if it's not a specifically
> created user account that is member of the "Domain Admins" group?
> Greetings,
> Stefan

I think what Louis is trying to say is, you shouldn't use a normal 
account to do administrative tasks. You should create an account, add 
this to Domain Admins or Administrators and use that account for 
administrative tasks. For example, if you have an account 'stefan', do 
not use that account for administrative tasks, create another account, 
'stefan_admin' for instance, add this account to Domain Admins and use 
it only for administrative tasks.


More information about the samba mailing list