On 7/19/2017, 11:57:57 AM, Pedro <pedlino@gmail.com> wrote:
Tanstaafl wrote
When you join a machine to a domain, the 'Domain Admins' group is
automatically added to the Local Administrators group on the computer
that was joined. It has been this way forever (as long as I can
remember), and is extremely useful, and is simply not a 'security issue'
as you suggest.
Actually that is not true.
Actually, yes it is.
At my workplace I have to manually add the domain admin to the PC's
admin group on each computer
I didn't say it added a 'Domain Admin' user, I said it adds the 'Domain
Admins' GROUP (so that any member of that group automatically gets local
admin rights on the PC when logging in).
I leverage this behavior in my domain to allow me to quickly allow
certain users to have Local Admin privileges by defining a 'Local
Admins' group, and also adding that Group to the local 'Administrators'
group on the PC when it is joined. Then all I have to do is add a user
to that group, and they automatically get Local Admin Rights on their
workstation.
Caveat: you must be careful, because by default, lots of network shares
automatically assign the 'Administrators' Group with full access, and a
bug in Windows doesn't differentiate between the DOMAIN 'Administrators
group and the LOCAL PC 'Administrators' group.
Maybe some setting was misconfigured by our IT
Since this is the default, then yes, something is broken for your domain
- whether accidental, or some misguided 'admin' wannabe decided to be
'clever' and disable this essential/default behavior.
but my point is you should not assume everything everywhere works as
you think it does.
Actually, it make perfect sense to ass-u-me that a system is functioning
correctly, so that someone can learn that it isn't, just as you have now
learned in this discussion.
--
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.