Stefan Bellon
2021-Apr-07 07:50 UTC
[Samba] Running GPMC with a user who is a member of Domain Admins
On Wed, 07 Apr, L.P.H. van Belle via samba wrote:> On the question, what qualifies a user as Administrator? > In our network, nobody is allowed to do regular work, when your > having Adminsitrator rights.That's of course obvious.> Your working or being able to change security settings, install > software and hardware, access all files on the computer, and make > changes to other user accounts. This all is security problem when > your working with Adminsitrative rights.Also obviously agreed upon. What I do not understand - you said:> [...] user which was added to "domain admins" which is a big NO NO..My question is a technical one, not a philosophical one: How could a personalized user account be "administrative" if not added to the appropriate group, in this case "Domain Admins". So, how else should a user perform domain administrative tasks, if it's not a specifically created user account that is member of the "Domain Admins" group? Greetings, Stefan -- Stefan Bellon
Rowland penny
2021-Apr-07 08:07 UTC
[Samba] Running GPMC with a user who is a member of Domain Admins
On 07/04/2021 08:50, Stefan Bellon via samba wrote:> On Wed, 07 Apr, L.P.H. van Belle via samba wrote: > >> On the question, what qualifies a user as Administrator? >> In our network, nobody is allowed to do regular work, when your >> having Adminsitrator rights. > That's of course obvious. > >> Your working or being able to change security settings, install >> software and hardware, access all files on the computer, and make >> changes to other user accounts. This all is security problem when >> your working with Adminsitrative rights. > Also obviously agreed upon. > > What I do not understand - you said: > >> [...] user which was added to "domain admins" which is a big NO NO.. > My question is a technical one, not a philosophical one: How could a > personalized user account be "administrative" if not added to the > appropriate group, in this case "Domain Admins". So, how else should a > user perform domain administrative tasks, if it's not a specifically > created user account that is member of the "Domain Admins" group? > > Greetings, > Stefan >I think what Louis is trying to say is, you shouldn't use a normal account to do administrative tasks. You should create an account, add this to Domain Admins or Administrators and use that account for administrative tasks. For example, if you have an account 'stefan', do not use that account for administrative tasks, create another account, 'stefan_admin' for instance, add this account to Domain Admins and use it only for administrative tasks. Rowland