Am 07.08.19 um 11:45 schrieb Rowland penny via samba:> On 07/08/2019 10:25, Stefan G. Weichinger via samba wrote: >> I expect the next "you should know" here. >> >> How do you handle administrative accounts in your samba/windows domains? >> >> I have to provide some accounts for the so-called admin users at the >> customer ... in some cases they learned the main admin pwd (yes, bad) >> and used it for installing this and that. >> >> Add their own users to group "domain admins"? >> >> I'd like to take away the main admin pwd from them. I have to. >> > Rule one, never tell anyone the Administrator password > > Try reading about delegation on Active Directory.started ... will try first with setting up a specific user for the backups
Hi, I would recommend: First change that Administrator password... For persons needing to do admin tasks: provide them a second account that they can use if needed so that they don't have unneeded privileges while doing their everyday work. For the different roles (such as sw installation on PCs): set up AD groups and add those second accounts to these groups. For the sw-installation-on-PCs group: put that group into the (local) administrators group on all PCs using the GPO setting Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Restricted Groups --> Group Name "Administrators" The net result: If such a power user needs to install something, he enters his 2nd UserID & password, does the installation, and all fine. He will not have a chance to break anything in the central AD. You can do similar things with other workstation-local groups such as Backup Operatos etc... regards, Norbert On 07.08.2019 12:00, Stefan G. Weichinger via samba wrote:> Am 07.08.19 um 11:45 schrieb Rowland penny via samba: >> On 07/08/2019 10:25, Stefan G. Weichinger via samba wrote: >>> I expect the next "you should know" here. >>> >>> How do you handle administrative accounts in your samba/windows domains? >>> >>> I have to provide some accounts for the so-called admin users at the >>> customer ... in some cases they learned the main admin pwd (yes, bad) >>> and used it for installing this and that. >>> >>> Add their own users to group "domain admins"? >>> >>> I'd like to take away the main admin pwd from them. I have to. >>> >> Rule one, never tell anyone the Administrator password >> >> Try reading about delegation on Active Directory. > started ... > > will try first with setting up a specific user for the backups > >
Good one Norbert, And this is exacly as im doing my software installs. My collega finds it very annoying. :-) I also added ( through GPO ) that, once your logged in the Domain, all software add/remove functions are disabled, even for Domain admins, only "local - pc admins" can install software. ( use .\localInstallAdmin ) where "." is equal to the pc name. That is handy, so you dont have to know the Pcname when your installing. And dont forget, "NTDOM\Domain admins" is a member of "BUILTIN\Administrators" "BUILTIN\Administrators" on the pc/server local, is shown as : "Administrators" Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Norbert Hanke via samba > Verzonden: woensdag 7 augustus 2019 13:06 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] best practice for domain admins > > Hi, > > I would recommend: > > First change that Administrator password... > > For persons needing to do admin tasks: provide them a second account > that they can use if needed so that they don't have unneeded > privileges > while doing their everyday work. > > For the different roles (such as sw installation on PCs): set up AD > groups and add those second accounts to these groups. > > For the sw-installation-on-PCs group: put that group into the (local) > administrators group on all PCs using the GPO setting > Computer Configuration --> Policies --> Windows Settings --> Security > Settings --> Restricted Groups --> Group Name "Administrators" > > The net result: If such a power user needs to install something, he > enters his 2nd UserID & password, does the installation, and all fine. > He will not have a chance to break anything in the central AD. > > You can do similar things with other workstation-local groups such as > Backup Operatos etc... > > regards, > Norbert > > On 07.08.2019 12:00, Stefan G. Weichinger via samba wrote: > > Am 07.08.19 um 11:45 schrieb Rowland penny via samba: > >> On 07/08/2019 10:25, Stefan G. Weichinger via samba wrote: > >>> I expect the next "you should know" here. > >>> > >>> How do you handle administrative accounts in your > samba/windows domains? > >>> > >>> I have to provide some accounts for the so-called admin > users at the > >>> customer ... in some cases they learned the main admin > pwd (yes, bad) > >>> and used it for installing this and that. > >>> > >>> Add their own users to group "domain admins"? > >>> > >>> I'd like to take away the main admin pwd from them. I have to. > >>> > >> Rule one, never tell anyone the Administrator password > >> > >> Try reading about delegation on Active Directory. > > started ... > > > > will try first with setting up a specific user for the backups > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Am 07.08.19 um 13:41 schrieb L.P.H. van Belle via samba:> Good one Norbert, > > And this is exacly as im doing my software installs. > My collega finds it very annoying. :-) > > I also added ( through GPO ) that, once your logged in the Domain, all software add/remove functions are disabled, even for Domain admins, > only "local - pc admins" can install software.This might get annoying if I deploy MS LAPS: separate admin-pw per PC. So I have to decide here ... (or roll out the same local-admin-pwd everywhere).
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: woensdag 7 augustus 2019 13:53 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] best practice for domain admins > > Am 07.08.19 um 13:41 schrieb L.P.H. van Belle via samba: > > Good one Norbert, > > > > And this is exacly as im doing my software installs. > > My collega finds it very annoying. :-) > > > > I also added ( through GPO ) that, once your logged in the > Domain, all software add/remove functions are disabled, even > for Domain admins, > > only "local - pc admins" can install software. > > This might get annoying if I deploy MS LAPS: separate admin-pw per PC. > > So I have to decide here ... (or roll out the same local-admin-pwd > everywhere). > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >I understand why you saying that part about MS LAPS and im going to look into MS Laps more. For now, in this case, i suggest you setup 2 accounts. One general ( LAPS compiant) and one only for software installs. After you installed software on the computers, you disable the "installAdmin" account and change the password. The steps to the GPO's to create the local users and/groups. 1) Create a local admin group in AD 2) Add the needed users to the group 3) Create a new group policy to push the policy 4) Expand ?Computer Configuration? -> ?Policies? -> ?Windows Settings ? -> ?Security Settings? -> ?Restricted Groups? 5) In the ?Add Groups? interface you add the group you created in steps 1 and 2 above 6) Attach this policy to the OU where the computer are. And above means, you have to think carefully if you current AD-layout works for you. Per example. BASE OU=Domain controllers OU=Computers OU=users Then you apply the GPO on BASE or OU=Computers ( depending on the GPO settings also! ) Or BASE OU=Domain controllers OU=Computers OU=users OU=Company OU=Company,OU=Users OU=Company,OU=Computers Then you apply the GPO on OU=Company Or BASE OU=Domain controllers OU=Computers OU=users OU=Company OU=Company,OU=Department1 ( containing its users AND computers ) OU=Company,OU=Department2 ( containing its users AND computers ) Then you apply the GPO on OU=Company and per Deparment OU=Company,OU=Department1 or OU=Company,OU=Department1 But that depends all on you AD design. So dont rush this, think carefully about it. Greetz, Louis