Web lists-archives.com

Re: [Samba] power users group




I known that, Thank you for the advise, I ended in the following dc config:
- Administrator ( real random password len 24 )
- itadmin member of "Domain Admins" ( real random password len 12 )
- custom "Local Admins" group with some users able to install software ( like local pc administrators ) (reference <http://cbudde.com/2014/11/adding-users-to-the-local-administrators-group-using-group-policy/>)

the purpose of itadmin user here is to be used only by IT administrator from secure hosts and has a password more easy to digit even w/out copy/paste or other tools and with a defined password expiration. the purpose of users in Local Admins group is to allow local pc software installation w/out the need of itadmin intervent and ensure no AD modification can be done.

On 15/03/2018 17:34, Harry Jede wrote:

Am Donnerstag, 15. März 2018, 16:21:24 CET schrieb Lorenzo Delana via samba:

> I just installed a samba4 dc and I see that Power Users group is

> missing, is possible to create that group so that a workstation

> joined in the domain can install software using users belonging to

> that group and how it can be done?

>

> actually simply creating a group with that name doesn't get any

> privilege to that group users.

read:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

or here:

SID: S-1-5-32-547 Name: Power Users Description: A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.

the net command may used to create the group and assign privilegs.

HINT:

Power Users can much more then installing software. i.e. managing users and groups.

This is the reason why MS has removed "Power Users" from default install.

IT IS REALLY RISKY.

But if you want, it is your choice.

--

Gruss

Harry Jede


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba