In this article i want to show you how to reduce the rights of domain admins on domain integrated synology NAS.

Why should you domain join a NAS?

The basic idea is to centralise user management. When users and groups from AD are imported and used you can revoke a users access rights simply by deactivating his AD account.

Also you can provide read / write premissions to AD groups, and in the future only have to add users to those groups in AD.

 

Why would you want to revoke the rights of admin users?

It is a likley scenario that a crypto trojan or other malicious software at some point somehow gains domain admin privileges. I have seen this a couple times.

In a case like this you do not want you NAS to be rendered useless. Especially if you are using it to store Backups.

 

Problem

A Syno NAS usually get configured using the webinterface. Here you can join it to your domain using Control Panel > Domain / LDAP > Domain.

Now you can change share permissions for users and groups imported from your domain. To do this go to Shared Folder > Edit > Permissions and select Domain Users or Domain Groups. However the fields “Read only” and “Custom” are grayed out for Users in the DOM\Domain-Admins group.

 

Solution

Go to the domain configuration again and click on Domain Options. Here you can go to Domain Administrators and kick out the default group.

Then you can change the permissions correctly.

Dont forget to create a user for your backup solution that has write access to the share.

Cheers, Ori