samba - Apr 2021 - Running GPMC with a user who is a member of Domain Admins

Because a "user" is not an "administrator" 
You should not "work" with Adminsitrator rights, thats more what i
mean.

Keep this separated. 

I work on my network as user XXXXX.. 
if i must do Administrative tasks, i login as Administrator. 

also, if you working while your administrator, it's really easy to get
"garbage" on you pc, which now can install it self also, because it
already has administrator rights.

Thats what i mean, i hope thats clear. 
its only a safety thing, has nothing todo with samba in general. 
> -----Oorspronkelijk bericht-----
> Van: Roy Eastwood [mailto:spindles7 at gmail.com]
> Verzonden: dinsdag 6 april 2021 17:48
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: Running GPMC with a user who is a member of Domain Admins
> 
> Hi Louis,
> On 06 April 2021 15:45 L.P.H. van Belle wrote:
> > so, im asuming this was en "user" with elevated rights that
runned GPMC
> > and created the policies, or a user which was added to "domain
admins"
> which is a big NO NO..
> 
> Can you elaborate why you say running GPMC by a user who is a member of
> Domain Admins is a "big NO NO" please?
> 
> Thanks,
> Roy

Greetz, 

Louis

On Wed, 07 Apr, L.P.H. van Belle via samba wrote:
> Because a "user" is not an "administrator" 
> You should not "work" with Adminsitrator rights, thats more what
i
> mean. 
> 
> Keep this separated. 
> 
> I work on my network as user XXXXX.. 
> if i must do Administrative tasks, i login as Administrator. 
Ok, but what qualifies a user as Administrator?

In a environment where you are not the only administrative person, you
certainly do not want to suggest that every administrative user logs in
with the same "Administrator" account, sharing its password. I see
many
reasons not to do this (safety, practicability, traceability, ...).

So, the question remains: What's wrong with creating specific
"administrative" users and then making them members of the
"Domain
Admins" group? And if that's really a bad idea, how do you do it
properly?

Greetings,
Stefan

-- 
Stefan Bellon

On 07 April 2021 07:56 L.P.H. van Belle wrote:
> 
> Because a "user" is not an "administrator"
> You should not "work" with Adminsitrator rights, thats more what
i mean.
> 
> Keep this separated.
> 
> I work on my network as user XXXXX..
> if i must do Administrative tasks, i login as Administrator.
> 
> also, if you working while your administrator, it's really easy to get
"garbage" on you pc, which now can install it self also,
because it
> already has administrator rights.
> 
> Thats what i mean, i hope thats clear.
> its only a safety thing, has nothing todo with samba in general.
Thanks Louis, that's fine and very good advice.    For a moment I thought
that you might get different permissions depending whether
you ran GPMC as Administrator or as a Domain Admin user.
Cheers,
roy

On the question, what qualifies a user as Administrator?
In our network, nobody is allowed to do regular work, when your having
Adminsitrator rights.

Your working or being able to change security settings, install software and
hardware, access all files on the computer, and make changes to other user
accounts.
This all is security problem when your working with Adminsitrative rights. 

but to make things bit more easy.. 

- i have a "folder managers group" where i put users in that are
allowed to
Create new "bases/department" folders and set rights on it. 
- I have a "user managers group",.. these users can create/change new
users.

So, > Ok, but what qualifies a user as Administrator?
Nobody. Im not the Adminsitrator in my network, not my boss, not my manager. 
Only the onces that might need it, have the passwords, ^^^^^ and  ^^^^ 

> -----Oorspronkelijk bericht-----
> Van: Stefan Bellon [mailto:bellon at axivion.com]
> Verzonden: woensdag 7 april 2021 9:09
> Aan: L.P.H. van Belle via samba
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Running GPMC with a user who is a member of Domain
> Admins
> 
> On Wed, 07 Apr, L.P.H. van Belle via samba wrote:
> 
> > Because a "user" is not an "administrator"
> > You should not "work" with Adminsitrator rights, thats more
what i
> > mean.
> >
> > Keep this separated.
> >
> > I work on my network as user XXXXX..
> > if i must do Administrative tasks, i login as Administrator.
> 
> Ok, but what qualifies a user as Administrator?
> 
> In a environment where you are not the only administrative person, you
> certainly do not want to suggest that every administrative user logs in
> with the same "Administrator" account, sharing its password. I
see many
> reasons not to do this (safety, practicability, traceability, ...).
I have auditing on Adminsitrator logins, no Adminstrator login allowed without
any support ticket in our ticket system.

And yes, my own user account does not have any extra privileges.. 

in my lan my user account is just the same as any, except...
Im member of the "folder managers" and users managers, to easy it a
bit.

And for all other task, i do login on a separated PC as Adminsitrator.
Also, im not even at home on my own pc working with adminsitrator rights.
Im also a normal user.. seen to much on how easy it is to get shit on you pc.
> 
> So, the question remains: What's wrong with creating specific
> "administrative" users and then making them members of the
"Domain
> Admins" group? And if that's really a bad idea, how do you do it
> properly?
Well, it is a really bad idea, but im not the one to say your not allowed to
todo, it my "Advice" not todo it.
>From what i showed. Try if you can split up the "adminstrative
tasks" and make groups if them, my tip to everybody is, make group,
everwhere for everything.. once thats setup, all you need todo is add/remove
users from groups, so that said.
- AD/user/group managers.
- File and Folder Managers.
- Printer Managers 

Things like that. 

Installing/removing software => Administrator task. 
changing security settings => Administrator task.

This is also a good read.
https://activedirectorypro.com/active-directory-management-tips/
i think about 99% of whats shown in there, im applying here. 

I hope this helps you a bit. 

so, the very short version of why not working as Administator rights. 

I can give you 1 website, you go visit it, and it will install software on your
computer and i can take it over.
Yeah, that simple, no virusscanner will detect it because its all using normals
software, and nice part if it is. Windows 10 helps here.
because in windows 10, you "can" install software in you own
environment.
Thats in my opinion a bad part of windows 10, but because MS is doing this. 
If that users gets infected, its not infecting the whole system so recovery is
more easy..


I hope help a LOT of people in understanding why you should never run/work
As an Administrator 


Greetz, 

Louis