Domain Admins shouldn't always be Administrators
netr_isadmin() searches the user's list of GroupIDs for the Domain Admins group's well-known RID, and if it's discovered, it marks the user as a member of the Administrators group, giving it the privileges of that group. However, Domain Admins is not a member of the Administrators group in all deployments, and some customers prefer for a particular system's Administrators to be a different or smaller group. They should be able to do that by removing Domain Admins from the local Administrators group and adding their preferred group, but the check in netr_isadmin makes that ineffective; instead, they have to remove privileges from that local group, add a new local group with the same permissions, and add their preferred group to that one.
Steps to Reproduce:
Join an SMB server to a domain
remove "Domain Admins" from the local Administrators group (smbadm remove-member -m "Domain Admins@<domain>" Administrators)
connect to a share with a member of the Domain Admins group
Perform Administrative tasks on the share (i.e. taking ownership of files you do not own or have permissions on).
Cannot perform Administrative tasks
Can perform Administrative tasks
Updated by Electric Monk over 2 years ago
- % Done changed from 0 to 100
- Status changed from In Progress to Closed
commit 48f31329f53c9b7554a923cb617ff7eecb6137e1 Author: Matt Barden <firstname.lastname@example.org> Date: 2019-11-14T14:23:07.000Z 11854 Domain Admins shouldn't always be Administrators Reviewed by: Gordon Ross <email@example.com> Reviewed by: Evan Layton <firstname.lastname@example.org> Reviewed by: Andrew Stormont <email@example.com> Approved by: Garrett D'Amore <firstname.lastname@example.org>