Question
-
CreatorTopic
-
November 1, 2006 at 8:30 am #2249987
Administrators group vs Domain Admins group
Lockedby mehuls · about 17 years, 5 months ago
Hi, I am just learning windows 2003 Active Directory. What’s the difference b/t Administrators group (in BuiltIn) and Domain Admins group (in Users).
Thanks
Topic is locked -
CreatorTopic
All Answers
-
AuthorReplies
-
-
November 1, 2006 at 8:30 am #3215939
Clarifications
by mehuls · about 17 years, 5 months ago
In reply to Administrators group vs Domain Admins group
Clarifications
-
November 1, 2006 at 10:17 am #3215916
Wait till you get to the Enterprise Admin Group
by cg it · about 17 years, 5 months ago
In reply to Administrators group vs Domain Admins group
the administrators group is installed when you first install the O/S. This is the local machine admin security group account.
When you promote a server to a Domain Controller, to include DNS, Active Directory, the domain admin security group is added to administer the Active Directory domain.
You can log on to the local machine using the local machine administrators account OR you can log on to the domain with the domain administrators account.
Try logging on to the domain with the local machine administators user name and password and see what happens.
-
November 2, 2006 at 7:32 am #3218651
unable to logon
by mehuls · about 17 years, 5 months ago
In reply to Wait till you get to the Enterprise Admin Group
Hi,
I am unable to logon on the DC using the the local machine administrators account.
I have only the option to only logon using the domain administrators account (called administrator).
Also what do u mean by:
Wait till you get to the Enterprise Admin Group
Rgs
i.e in the Log on to – the only option I have is the domain. Unlike in the pc, where you have domain and local pc.
Try logging on to the domain with the local machine administators user name and password and see what happens
-
April 26, 2007 at 11:32 am #2543014
You didnt quite get his question
by spamhause · about 16 years, 11 months ago
In reply to Wait till you get to the Enterprise Admin Group
Re-read what he asked. It has nothing to do with the Administrators group in a machine’s local users and groups.
Within Active Directory, under the “Builtin” folder, there is a group called “administrators”. Then also under the “Users” folder, there is a group called “Domain Admins”. The administrators group is completely independant of the local administrators group which you’ll find on all networked clients and servers except for domain controllers.
What he is asking, and what I also wonder, is what the difference is between the domain admins group loacted under Users and the administrators group located under Builtin within active directory.
-
April 26, 2007 at 11:56 am #2543004
Answered my own question
by spamhause · about 16 years, 11 months ago
In reply to You didnt quite get his question
Take a look at the following link:
To summarize, it looks like the administrators group located within the Builtin folder gives full control over Domain controllers on the domain. This is the equivalent of the administrators group on a local machine. It’s apparently located here in active directory due to a domain controller no longer having local users and groups once it’s promoted to a DC.
The Domain Admins group has admin rights to the entire domain, not specifically domain controllers.
By default, the “administrator” user account is a member of both of these groups. Domain Admins is also a member of the administrators group located under the builtin folder, so it also has admin rights on domain controllers.
If you were to create a user account and put it in the administrators group, but not the domain admins group, the user would have admin rights on all of the domain controllers, but not the entire domain. Putting the user in domain admins would grant full admin rights to the entire domain, including domain controllers.
-
-
-
November 1, 2006 at 4:16 pm #3218847
Here is a
by zlitocook · about 17 years, 5 months ago
In reply to Administrators group vs Domain Admins group
Web site I like and use every once in a while.
http://www.ss64.com/ntsyntax/security_groups.html-
November 2, 2006 at 5:12 pm #3218338
The domain Administrators security group
by cg it · about 17 years, 5 months ago
In reply to Here is a
there are different security groups within a domain and on a machine.
the local machine administrators security account is only good for logging in on the local machine, not the domain. The domain administrators security account is only good for logging onto the domain.
In very large corporations with multiple forests and multiple domains within forests, there is the Enterprise Administrators security group which can manage the entire Enterprise. This group can delegate authority to domain administrators in managing their domain and other child domains[if granted].
So the exercise of trying to log in on the domain with the local administrators account
was to show that there are different administrator security accounts. One for a machine, one for a domain and they are not the same. That is why it is best practice to change the name of the local machine administrators account to something other than administrator and also change the domain admin account to something other than administrator.Further on a DC that is the only DC in a single forest, single domain AD structure, there are two security settings. one for the DC and one for the Domain. if you change the admin security account for the DC using the security options it is not the same ad the Domain security account. Effectively your blocking anyone from logging on to the DC itself including domain admins [but services running under NT Service will need proper credentials to work right.
-
July 21, 2007 at 12:19 pm #2621859
domain administrator vs local administrator
by ghouls · about 16 years, 8 months ago
In reply to The domain Administrators security group
I was just wondering, let’s say you are logging into Win. XP computer with domain administrator account, what can/can’t you do with domain administrator that local administrator can/can’t do?
-
December 19, 2008 at 10:38 am #2985991
dangerous
by don · about 15 years, 3 months ago
In reply to domain administrator vs local administrator
Let’s also say that machine has a nasty virus, or keylogger, etc. and you just opened your entire domain to that nasty virus when you logged in and provided the domain admin credentials.
But, you do have full control over that machine as if you logged into the local admin account.
-
-
-
-
AuthorReplies