I expect the next "you should know" here. How do you handle administrative accounts in your samba/windows domains? I have to provide some accounts for the so-called admin users at the customer ... in some cases they learned the main admin pwd (yes, bad) and used it for installing this and that. Add their own users to group "domain admins"? I'd like to take away the main admin pwd from them. I have to.
On 07/08/2019 10:25, Stefan G. Weichinger via samba wrote:> I expect the next "you should know" here. > > How do you handle administrative accounts in your samba/windows domains? > > I have to provide some accounts for the so-called admin users at the > customer ... in some cases they learned the main admin pwd (yes, bad) > and used it for installing this and that. > > Add their own users to group "domain admins"? > > I'd like to take away the main admin pwd from them. I have to. >Rule one, never tell anyone the Administrator password Try reading about delegation on Active Directory. Rowland
Am 07.08.19 um 11:45 schrieb Rowland penny via samba:> On 07/08/2019 10:25, Stefan G. Weichinger via samba wrote: >> I expect the next "you should know" here. >> >> How do you handle administrative accounts in your samba/windows domains? >> >> I have to provide some accounts for the so-called admin users at the >> customer ... in some cases they learned the main admin pwd (yes, bad) >> and used it for installing this and that. >> >> Add their own users to group "domain admins"? >> >> I'd like to take away the main admin pwd from them. I have to. >> > Rule one, never tell anyone the Administrator password > > Try reading about delegation on Active Directory.started ... will try first with setting up a specific user for the backups
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: woensdag 7 augustus 2019 11:25 > Aan: samba > Onderwerp: [Samba] best practice for domain admins > > > I expect the next "you should know" here.Nah,, the previous, that was one, and you did know that.. Been there, done it.. I know how it works, somethings your just in a rush.. But i had to post it to the list so i hope others learn from it.> > How do you handle administrative accounts in your > samba/windows domains? > > I have to provide some accounts for the so-called admin users at the > customer ... in some cases they learned the main admin pwd (yes, bad) > and used it for installing this and that.This depends on what the need is. I suggest you start reading here. https://www.petri.com/managing-privileged-access-active-directory And https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/access-control Keep an eye on the SePrivilages and make sure you check these also. Yes, its a lot to read into.. Make separated account that need admin rights and use these the configure services where needed. This make sure you can always change the Administrator password without creating conflics in other parts of the network. Delegate user mananement. Where possible use GPO's to install software. And I try todo everything ( where possible ) with GPO's. There is a lot to read and talk about this, start simple. For example. https://www.petri.com/delegate-permission-reset-ad-user-account-passwords So far, Greetz, Lous