thr3ads.net - samba - [Samba] AD User with Domain Admin [Dec 2020]

If this information is useful, please help other people find it:
Share via:

Robert Marcano

2020-Dec-03 19:33 UTC

[Samba] AD User with Domain Admin

On 12/3/20 1:48 PM, Maurizio Caloro via samba wrote:> Hello
> 
> AD 4.13.2 running, Joinet Debina 10 machine, if sign in with Domain Admin
> User to Debian, aim a normal User without any more rights
As it should be, the Windows concept of being a domain administrator 
granting you administrator on all machines is by default bad. That is 
why so many AD security recommendations tell Windows administrators to 
have a normal user for daily usage and switch to the domain 
administrator only when needed, a cheaper version of sudo.

You should add sudo rules to the members of that group or other more 
specialized or add domain users to the wheel local group.
> 
> I need to put the AD Admin User to Passwd Group? So that this will receive
> the Domain Admin Right on this Debian Server?
> 
> Thanks
> 
>   
>

Marco Gaiarin

2020-Dec-04 08:22 UTC

head link

[Samba] AD User with Domain Admin

Mandi! Robert Marcano via samba
  In chel di` si favelave...
> As it should be, the Windows concept of being a domain administrator
> granting you administrator on all machines is by default bad. That is why
so
> many AD security recommendations tell Windows administrators to have a
> normal user for daily usage and switch to the domain administrator only
when
> needed, a cheaper version of sudo.
Right. But on this i've found so many 'unofficial'  siteas and
paper,
but no one 'official' Microsoft (or by some regulatory entity like
CERT) document on this.

You or someone here have some pointer? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

L.P.H. van Belle

2020-Dec-04 08:48 UTC

head link

[Samba] AD User with Domain Admin

This is/should be "comon" knowledge/sence.. Really (not offending
here) ..

Now, Im a Admin, but on my pc I am just a regular user as any other in the
company.
Even my friends at house, of which i do some pc maintenance, works as User. 
Why.. 

Its SOOOOO simple to infect a pc when the user runs with admin rights. 
In the past, i had to go monthly to my mates to fix there pc's.  
So, after a few times, i "order" them to work as User or pay me for my
time for these fixes.
And they now work as normal User on there pc and... 

Resulting 90% less problem, so im happy, less waisted time for me, they happy
less problems,
And as long the run it like this, my friend dont need to pay my anything.. 
Win win ;-) 

And even on home pc's i set things like this where i can. 
https://www.lepide.com/blog/top-10-most-important-group-policy-settings-for-preventing-security-breaches/

Now, on the question "is there any official statement"  
There is this : 
https://docs.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-and-reduce-the-number-of-accounts-in-highly-privileged-administrative-groups

So, how do i handle this in the office, since im just the same as any Admin.. 
I have 1 windows pc, and that one is the only one i use and login as
Administrator, not my work pc, a different one.
This one holds all needed tools, extra stuff etc.  

My username is added in a "user-maint" group, and i gave delegation
rights so i "can" maintain user/groups from my own account.

I hope above helps you. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 4 december 2020 9:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD User with Domain Admin
> 
> Mandi! Robert Marcano via samba
>   In chel di` si favelave...
> 
> > As it should be, the Windows concept of being a domain administrator
> > granting you administrator on all machines is by default 
> bad. That is why so
> > many AD security recommendations tell Windows 
> administrators to have a
> > normal user for daily usage and switch to the domain 
> administrator only when
> > needed, a cheaper version of sudo.
> 
> Right. But on this i've found so many 'unofficial'  siteas and
paper,
> but no one 'official' Microsoft (or by some regulatory entity like
> CERT) document on this.
> 
> You or someone here have some pointer? Thanks.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

samba - Dec 2020 - AD User with Domain Admin

[Samba] AD User with Domain Admin

[Samba] AD User with Domain Admin

[Samba] AD User with Domain Admin