[Samba] Running GPMC with a user who is a member of Domain Admins
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 7 08:40:49 UTC 2021
> -----Oorspronkelijk bericht-----
> Van: Stefan Bellon [mailto:bellon at axivion.com]
> Verzonden: woensdag 7 april 2021 9:50
> Aan: L.P.H. van Belle via samba
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Running GPMC with a user who is a member of Domain
> Admins
>
> On Wed, 07 Apr, L.P.H. van Belle via samba wrote:
>
> > On the question, what qualifies a user as Administrator?
> > In our network, nobody is allowed to do regular work, when your
> > having Adminsitrator rights.
>
> That's of course obvious.
>
> > Your working or being able to change security settings, install
> > software and hardware, access all files on the computer, and make
> > changes to other user accounts. This all is security problem when
> > your working with Adminsitrative rights.
>
> Also obviously agreed upon.
>
> What I do not understand - you said:
>
> > [...] user which was added to "domain admins" which is a big NO NO..
>
> My question is a technical one, not a philosophical one:
> How could a personalized user account be "administrative"
> if not added to the appropriate group, in this case "Domain Admins".
> So, how else should a user perform domain administrative tasks,
> if it's not a specifically created user account that is member of
> the "Domain Admins" group?
if i understanded your question right. Your missing "delegation"
You can delegate rights to a users or group. Per example, you can give a user(preffered a group) the right to reset a password only.
(see site below)
https://petri.com/delegate-permission-reset-ad-user-account-passwords
I think your looking for that.
Greetz,
Louis
More information about the samba
mailing list