[Samba] Running GPMC with a user who is a member of Domain Admins

L.P.H. van Belle belle at bazuin.nl
Wed Apr 7 08:40:49 UTC 2021

> -----Oorspronkelijk bericht-----
> Van: Stefan Bellon [mailto:bellon at axivion.com]
> Verzonden: woensdag 7 april 2021 9:50
> Aan: L.P.H. van Belle via samba
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Running GPMC with a user who is a member of Domain
> Admins
> On Wed, 07 Apr, L.P.H. van Belle via samba wrote:
> > On the question, what qualifies a user as Administrator?
> > In our network, nobody is allowed to do regular work, when your
> > having Adminsitrator rights.
> That's of course obvious.
> > Your working or being able to change security settings, install
> > software and hardware, access all files on the computer, and make
> > changes to other user accounts. This all is security problem when
> > your working with Adminsitrative rights.
> Also obviously agreed upon.
> What I do not understand - you said:
> > [...] user which was added to "domain admins" which is a big NO NO..
> My question is a technical one, not a philosophical one: 
> How could a personalized user account be "administrative" 
> if not added to the appropriate group, in this case "Domain Admins". 
> So, how else should a user perform domain administrative tasks, 
> if it's not a specifically created user account that is member of 
> the "Domain Admins" group?

if i understanded your question right. Your missing "delegation"

You can delegate rights to a users or group. Per example, you can give a user(preffered a group) the right to reset a password only.  
(see site below) 

I think your looking for that. 



More information about the samba mailing list