Downgrading a user-admin account, future problems ?

Currently reading
Downgrading a user-admin account, future problems ?

Hi guys,
When i first setup my DS1522+ i created my own custom admin account (different than the default "admin"). Since i am currently the only user on the NAS, i used this custom admin account for everything, day to day usage, SMB access etc.

I migrated all my data to the NAS using this custom admin account, so basically, i used it every day as my main account.

Lately, i read upon having a different user account with just "user level" permissions (so, no admin) for everyday tasks and keep the "custom admin" just for DSM access doing administrator tasks (settings, backups etc.)

1. If i will create another admin account, log into that one, then "downgrade" the current one to the "user group", will i encounter any issues in the future ? Providing that all my data was copied to the NAS using this "downgraded" admin account, the first setup was done on it etc.

I assume since i don't change user but just simply downgrade it ... the ownership of the entire files and folders will remain un-affected. How about other NAS settings / functionality ?

2. Should i start over nuking everything (factory reset) and re-copy all my data from backups using the proper "user-only" level account ? I think this is the extreme approach ... but i will do it if necessary, no problem.

3. For my own knowledge, what can happen if we use a custom admin account for daily tasks (SMB) ? Can ransomware access and delete snapshots / backups if they are not visible over SMB ? Can ransomware get hold of the credentials (as in ... "read" them in plain text) if the credentials are saved in keychain (i'm a Mac user) ... and then later access DSM ?

My NAS is not exposed to the internet, i am not using any VPN/QC/port-fowarding. This is simply my data storage "vault" reserved for important data on localhost only. The only way some ransomware could reach is by an infected device within local network.

THANKS A LOT !
 
You should be able to remove the user account from the administrators group and that will make it a standard account. It will lose rights to perform admin tasks and admin accesses. The only thing I'm thinking is if some files and folders you were accessing were via group privilege, but really if you added items then they should be assigned to your user. I think it should work fine but first create your new admin account. If you do experience any issues then you can revert the admin rights to your normal account and fix them.

The reason to use a standard account for day-to-day activities is in the event that anything should happen to compromise the access. Using a standard account restricts access to the user's content and any shared features. But an admin account can be used to gain elevated privileges and compromise the whole NAS. So you should be smart and decide why and where you use admin access: e.g. just at home to manage the NAS. Any other devices on the same LAN could be used as an attack vector... once compromised they can be used to probe the LAN, so even if the NAS is isolated, is it isolated from those devices too?
 
The only thing I'm thinking is if some files and folders you were accessing were via group privilege
Thank you so much for replying.

I think it might be better to nuke everything and start fresh. I have only 1.3 TB of data to migrate, is not that much.

Lesson learned ! 🙂

It makes sense to keep an admin account just for DSM access within LAN at home.

Having multiple shared folders with different permissions + regular user accounts will make things way more secure

Thanks a lot !
 
IMO I would simply create another account with non-admin rights and use that account for day-to-day activities. Leave the custom admin account as is.
Yeah … but all my data is stored on the nas with the first custom admin user ownership.

So i have to change / “migrate” ownership for all my files, folders and sub-folders to the new regular user.

I’m afraid that in this ownership change i will mess something up.

Having my files split between 2 users ownership (the original custom admin and the new regular user) is not really great.

For example, my entire photography RAW files have the first custom-admin ownership.
I’m working on them within Lightroom via mounted SMB.

If i mount this Photography folder with another user without changing the ownership … i might mess something up because of different ownership, or maybe not but i’m still reluctant to try 🙂

Maybe i have some irrational “newbie” fears 😂
 
You can change ownership of files easily in File Station. Your misuse of the term “custom admin” is confusing your issue. There is no “custom admin”. If the user is in the administrator group, they are a full admin. You can either leave things as you have them, and accept the security risk, or you can fix this. Your decision.
 
Your misuse of the term “custom admin” is confusing your issue. There is no “custom admin”. If the user is in the administrator group, they are a full admin.
Yes, sorry for the misunderstanding. I tried to say "custom created admin account" :)

Anyway, long story short, i learned this lesson for the future and i decided to just nuke everything and start over with a factory reset. (i have just 1.3 TB of data, so no big deal)

Starting fresh , the proper way this time :) Thanks everybody for your input ! 🍻
 
I tried to say "custom created admin account"
This isn't a thing either. It's either an admin account, or a non-admin account. There is no “custom” or half-measure. Admin is machine god.
Starting fresh , the proper way this time
Seems wise. Watch and learn. Ask questions.
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

View: https://www.youtube.com/watch?v=rrvtu9z22u0
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

View: https://www.youtube.com/watch?v=T1xW97eyXB8
 
Last edited:
I have 2 different administrator logins, (with default admin disabled) and have not had any issues with one or other login with Reading, Writing, or Executing files/folders added by either login.
I added second administrator login in the off chance I did something stupid with first one. (CYA)

I took this as far as having 2x logins for DS FILE. At this point I cannot tell you what file was saved where, by which login!

When it was successful on first NAS, Second & Third just followed suit, not wanting to temp success!
 
At this point I cannot tell you what file was saved where, by which login!
Yeah, this is what i was afraid of .... Having a bunch of files scattered between different ownerships / users of the same individual (me).

I did a factory reset and DSM re-install last night and now everything is properly in order :) 🍻
Since this is my first NAS, it took me like 4 factory resets so far 😁 to get used to all the concepts and way of doing things.

Anyway, this lessons are good and makes a user more familiar with the concepts (y)
 
Last edited:
I have yet to find an issue where ownership has ever been an issue.... on any file... in years, on any NAS. (4 NAS's total, 3 of which are still currently in operation).
The logins created that are not administrator level are view only, on certain folders only... and those logins do not know any other folders or files exist.... Have Multiple Shared folder Sync and Timed Script file operations running daily on NAS's: copying/deleting Security images and videos, from all NAS's -- to all NAS's, too.. So 'Who did What' is quite spread around... :)!
One of reasons why I created a second administrator login, at the time, was: If one login became 'compromised', with the second still 'good', I could then login with second, disable the compromised login, and still have another at administrator level to continue on with, as I determined what to do next... (My Self Taught attempt at a having a: Work Around). Turns out I never, ever, needed to use that approach.... But kept implementing that approach on subsequent NAS's: "In Case".. If this is an issue, I certainly haven't encountered it.... (And I seem to Stumble into 'Everything'!!)
 
Since this is my first NAS, it took me like 4 factory resets so far 😁 to get used to all the concepts and way of doing things.
If your model supports it, try virtual machine manager and install an instance of vdsm. You can do any trial and error you want there and then just reset it back to its original state. Also great for testing new things or even updates.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Solved
Creating a group is super easy, as is assigning them to that group. Once and done, transparent on the user...
Replies
5
Views
710
I have a very similar script that runs every 15 mins. But I needed it to delay to around 1.5 minutes after...
Replies
3
Views
959

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top