[Samba] rename Administrator account

34 views
Skip to first unread message

Bart Coninckx via samba

unread,
Mar 17, 2017, 11:00:02 AM3/17/17
to
Hi all,

 
Renaming the admin account in Windows server context is a popular measure to make the network more safe. 

Can we do this also in Samba 4? Are there any negative consequences?

 
Met Vriendelijke Groet,
Kind Regards,
Salutations,
 
 
Bart Coninckx
Bits 'n Tricks BVBA
 
Hoge Mierdse Heide 182
2360 Oud-Turnhout
tel. +32 14 480 820

gsm +32 478 88 33 08
in...@bitsandtricks.com
http://www.bitsandtricks.com
BTW: BE0817.401.875

Crelan BE46 8601 0806 3436

Voor onze Algemene Voorwaarden, zie: http://www.bitsandtricks.com/index.php/contact/algemene-voorwaarden

 
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Marc Muehlfeld via samba

unread,
Mar 18, 2017, 10:30:03 AM3/18/17
to
Am 17.03.2017 um 15:52 schrieb Bart Coninckx via samba:
> Renaming the admin account in Windows server context is a
> popular measure to make the network more safe.
>
> Can we do this also in Samba 4? Are there any negative consequences?

Sure you can rename it. Being a member of the right groups decite what
an account can do.

However, I don't understand how renaming the admin account improves the
security. For example, every domain user can easily find out who is a
member of the "Domain Admins" group:

> dsquery group -name "Domain Admins" | dsget group -members
"CN=DomAdm,CN=Users,DC=samdom,DC=example,DC=com"

Regards,
Marc


PS. By the way talking about "Samba 4" can be misleading. It's better if
you use the terms "Samba AD", "Samba NT4 domain", "Samba standalone
server", "Samba domain member", etc. depending on what you are talking
about. Samba 4 can act as all of them.

Bart Coninckx via samba

unread,
Mar 21, 2017, 11:40:03 AM3/21/17
to
>Sure you can rename it. Being a member of the right groups decite what
>an account can do.

>However, I don't understand how renaming the admin account improves the
>security. For example, every domain user can easily find out who is a
>member of the "Domain Admins" group:

>> dsquery group -name "Domain Admins" | dsget group -members
"CN=DomAdm,CN=Users,DC=samdom,DC=example,DC=com"

>Regards,
>Marc

Hi Marc,

 
I agree that is not the holy grail of security, but as an average user is not able to do a dsquery, it has some added value.

My customer asked me this, so I now I can tell him that it its possible,

 
cheers,

 
BC
Reply all
Reply to author
Forward
0 new messages