Questions

Administrators group vs Domain Admins group

+
0 Votes
Locked

Administrators group vs Domain Admins group

Mehuls
Hi, I am just learning windows 2003 Active Directory. What's the difference b/t Administrators group (in BuiltIn) and Domain Admins group (in Users).

Thanks
  • +
    1 Votes
    CG IT

    the administrators group is installed when you first install the O/S. This is the local machine admin security group account.

    When you promote a server to a Domain Controller, to include DNS, Active Directory, the domain admin security group is added to administer the Active Directory domain.

    You can log on to the local machine using the local machine administrators account OR you can log on to the domain with the domain administrators account.

    Try logging on to the domain with the local machine administators user name and password and see what happens.

    +
    0 Votes
    Mehuls

    Hi,

    I am unable to logon on the DC using the the local machine administrators account.

    I have only the option to only logon using the domain administrators account (called administrator).

    Also what do u mean by:

    Wait till you get to the Enterprise Admin Group

    Rgs

    i.e in the Log on to - the only option I have is the domain. Unlike in the pc, where you have domain and local pc.


    Try logging on to the domain with the local machine administators user name and password and see what happens

    +
    0 Votes
    spamhause

    Re-read what he asked. It has nothing to do with the Administrators group in a machine's local users and groups.

    Within Active Directory, under the "Builtin" folder, there is a group called "administrators". Then also under the "Users" folder, there is a group called "Domain Admins". The administrators group is completely independant of the local administrators group which you'll find on all networked clients and servers except for domain controllers.

    What he is asking, and what I also wonder, is what the difference is between the domain admins group loacted under Users and the administrators group located under Builtin within active directory.

    +
    0 Votes
    spamhause

    Take a look at the following link:

    http://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=true

    To summarize, it looks like the administrators group located within the Builtin folder gives full control over Domain controllers on the domain. This is the equivalent of the administrators group on a local machine. It's apparently located here in active directory due to a domain controller no longer having local users and groups once it's promoted to a DC.

    The Domain Admins group has admin rights to the entire domain, not specifically domain controllers.

    By default, the "administrator" user account is a member of both of these groups. Domain Admins is also a member of the administrators group located under the builtin folder, so it also has admin rights on domain controllers.

    If you were to create a user account and put it in the administrators group, but not the domain admins group, the user would have admin rights on all of the domain controllers, but not the entire domain. Putting the user in domain admins would grant full admin rights to the entire domain, including domain controllers.

    +
    1 Votes
    zlitocook

    Web site I like and use every once in a while.
    http://www.ss64.com/ntsyntax/security_groups.html

    +
    0 Votes
    CG IT

    there are different security groups within a domain and on a machine.

    the local machine administrators security account is only good for logging in on the local machine, not the domain. The domain administrators security account is only good for logging onto the domain.

    In very large corporations with multiple forests and multiple domains within forests, there is the Enterprise Administrators security group which can manage the entire Enterprise. This group can delegate authority to domain administrators in managing their domain and other child domains[if granted].

    So the exercise of trying to log in on the domain with the local administrators account
    was to show that there are different administrator security accounts. One for a machine, one for a domain and they are not the same. That is why it is best practice to change the name of the local machine administrators account to something other than administrator and also change the domain admin account to something other than administrator.

    Further on a DC that is the only DC in a single forest, single domain AD structure, there are two security settings. one for the DC and one for the Domain. if you change the admin security account for the DC using the security options it is not the same ad the Domain security account. Effectively your blocking anyone from logging on to the DC itself including domain admins [but services running under NT Service will need proper credentials to work right.

    +
    0 Votes
    ghouls

    I was just wondering, let's say you are logging into Win. XP computer with domain administrator account, what can/can't you do with domain administrator that local administrator can/can't do?

    +
    0 Votes
    don

    Let's also say that machine has a nasty virus, or keylogger, etc. and you just opened your entire domain to that nasty virus when you logged in and provided the domain admin credentials.
    But, you do have full control over that machine as if you logged into the local admin account.

  • +
    1 Votes
    CG IT

    the administrators group is installed when you first install the O/S. This is the local machine admin security group account.

    When you promote a server to a Domain Controller, to include DNS, Active Directory, the domain admin security group is added to administer the Active Directory domain.

    You can log on to the local machine using the local machine administrators account OR you can log on to the domain with the domain administrators account.

    Try logging on to the domain with the local machine administators user name and password and see what happens.

    +
    0 Votes
    Mehuls

    Hi,

    I am unable to logon on the DC using the the local machine administrators account.

    I have only the option to only logon using the domain administrators account (called administrator).

    Also what do u mean by:

    Wait till you get to the Enterprise Admin Group

    Rgs

    i.e in the Log on to - the only option I have is the domain. Unlike in the pc, where you have domain and local pc.


    Try logging on to the domain with the local machine administators user name and password and see what happens

    +
    0 Votes
    spamhause

    Re-read what he asked. It has nothing to do with the Administrators group in a machine's local users and groups.

    Within Active Directory, under the "Builtin" folder, there is a group called "administrators". Then also under the "Users" folder, there is a group called "Domain Admins". The administrators group is completely independant of the local administrators group which you'll find on all networked clients and servers except for domain controllers.

    What he is asking, and what I also wonder, is what the difference is between the domain admins group loacted under Users and the administrators group located under Builtin within active directory.

    +
    0 Votes
    spamhause

    Take a look at the following link:

    http://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=true

    To summarize, it looks like the administrators group located within the Builtin folder gives full control over Domain controllers on the domain. This is the equivalent of the administrators group on a local machine. It's apparently located here in active directory due to a domain controller no longer having local users and groups once it's promoted to a DC.

    The Domain Admins group has admin rights to the entire domain, not specifically domain controllers.

    By default, the "administrator" user account is a member of both of these groups. Domain Admins is also a member of the administrators group located under the builtin folder, so it also has admin rights on domain controllers.

    If you were to create a user account and put it in the administrators group, but not the domain admins group, the user would have admin rights on all of the domain controllers, but not the entire domain. Putting the user in domain admins would grant full admin rights to the entire domain, including domain controllers.

    +
    1 Votes
    zlitocook

    Web site I like and use every once in a while.
    http://www.ss64.com/ntsyntax/security_groups.html

    +
    0 Votes
    CG IT

    there are different security groups within a domain and on a machine.

    the local machine administrators security account is only good for logging in on the local machine, not the domain. The domain administrators security account is only good for logging onto the domain.

    In very large corporations with multiple forests and multiple domains within forests, there is the Enterprise Administrators security group which can manage the entire Enterprise. This group can delegate authority to domain administrators in managing their domain and other child domains[if granted].

    So the exercise of trying to log in on the domain with the local administrators account
    was to show that there are different administrator security accounts. One for a machine, one for a domain and they are not the same. That is why it is best practice to change the name of the local machine administrators account to something other than administrator and also change the domain admin account to something other than administrator.

    Further on a DC that is the only DC in a single forest, single domain AD structure, there are two security settings. one for the DC and one for the Domain. if you change the admin security account for the DC using the security options it is not the same ad the Domain security account. Effectively your blocking anyone from logging on to the DC itself including domain admins [but services running under NT Service will need proper credentials to work right.

    +
    0 Votes
    ghouls

    I was just wondering, let's say you are logging into Win. XP computer with domain administrator account, what can/can't you do with domain administrator that local administrator can/can't do?

    +
    0 Votes
    don

    Let's also say that machine has a nasty virus, or keylogger, etc. and you just opened your entire domain to that nasty virus when you logged in and provided the domain admin credentials.
    But, you do have full control over that machine as if you logged into the local admin account.