Question

  • Creator
    Topic
  • #2249987

    Administrators group vs Domain Admins group

    Locked

    by mehuls ·

    Hi, I am just learning windows 2003 Active Directory. What’s the difference b/t Administrators group (in BuiltIn) and Domain Admins group (in Users).

    Thanks

All Answers

  • Author
    Replies
    • #3215939

      Clarifications

      by mehuls ·

      In reply to Administrators group vs Domain Admins group

      Clarifications

    • #3215916

      Wait till you get to the Enterprise Admin Group

      by cg it ·

      In reply to Administrators group vs Domain Admins group

      the administrators group is installed when you first install the O/S. This is the local machine admin security group account.

      When you promote a server to a Domain Controller, to include DNS, Active Directory, the domain admin security group is added to administer the Active Directory domain.

      You can log on to the local machine using the local machine administrators account OR you can log on to the domain with the domain administrators account.

      Try logging on to the domain with the local machine administators user name and password and see what happens.

      • #3218651

        unable to logon

        by mehuls ·

        In reply to Wait till you get to the Enterprise Admin Group

        Hi,

        I am unable to logon on the DC using the the local machine administrators account.

        I have only the option to only logon using the domain administrators account (called administrator).

        Also what do u mean by:

        Wait till you get to the Enterprise Admin Group

        Rgs

        i.e in the Log on to – the only option I have is the domain. Unlike in the pc, where you have domain and local pc.

        Try logging on to the domain with the local machine administators user name and password and see what happens

      • #2543014

        You didnt quite get his question

        by spamhause ·

        In reply to Wait till you get to the Enterprise Admin Group

        Re-read what he asked. It has nothing to do with the Administrators group in a machine’s local users and groups.

        Within Active Directory, under the “Builtin” folder, there is a group called “administrators”. Then also under the “Users” folder, there is a group called “Domain Admins”. The administrators group is completely independant of the local administrators group which you’ll find on all networked clients and servers except for domain controllers.

        What he is asking, and what I also wonder, is what the difference is between the domain admins group loacted under Users and the administrators group located under Builtin within active directory.

        • #2543004

          Answered my own question

          by spamhause ·

          In reply to You didnt quite get his question

          Take a look at the following link:

          http://technet2.microsoft.com/windowsserver/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=true

          To summarize, it looks like the administrators group located within the Builtin folder gives full control over Domain controllers on the domain. This is the equivalent of the administrators group on a local machine. It’s apparently located here in active directory due to a domain controller no longer having local users and groups once it’s promoted to a DC.

          The Domain Admins group has admin rights to the entire domain, not specifically domain controllers.

          By default, the “administrator” user account is a member of both of these groups. Domain Admins is also a member of the administrators group located under the builtin folder, so it also has admin rights on domain controllers.

          If you were to create a user account and put it in the administrators group, but not the domain admins group, the user would have admin rights on all of the domain controllers, but not the entire domain. Putting the user in domain admins would grant full admin rights to the entire domain, including domain controllers.

    • #3218847

      Here is a

      by zlitocook ·

      In reply to Administrators group vs Domain Admins group

      Web site I like and use every once in a while.
      http://www.ss64.com/ntsyntax/security_groups.html

      • #3218338

        The domain Administrators security group

        by cg it ·

        In reply to Here is a

        there are different security groups within a domain and on a machine.

        the local machine administrators security account is only good for logging in on the local machine, not the domain. The domain administrators security account is only good for logging onto the domain.

        In very large corporations with multiple forests and multiple domains within forests, there is the Enterprise Administrators security group which can manage the entire Enterprise. This group can delegate authority to domain administrators in managing their domain and other child domains[if granted].

        So the exercise of trying to log in on the domain with the local administrators account
        was to show that there are different administrator security accounts. One for a machine, one for a domain and they are not the same. That is why it is best practice to change the name of the local machine administrators account to something other than administrator and also change the domain admin account to something other than administrator.

        Further on a DC that is the only DC in a single forest, single domain AD structure, there are two security settings. one for the DC and one for the Domain. if you change the admin security account for the DC using the security options it is not the same ad the Domain security account. Effectively your blocking anyone from logging on to the DC itself including domain admins [but services running under NT Service will need proper credentials to work right.

        • #2621859

          domain administrator vs local administrator

          by ghouls ·

          In reply to The domain Administrators security group

          I was just wondering, let’s say you are logging into Win. XP computer with domain administrator account, what can/can’t you do with domain administrator that local administrator can/can’t do?

        • #2985991

          dangerous

          by don ·

          In reply to domain administrator vs local administrator

          Let’s also say that machine has a nasty virus, or keylogger, etc. and you just opened your entire domain to that nasty virus when you logged in and provided the domain admin credentials.
          But, you do have full control over that machine as if you logged into the local admin account.

Viewing 2 reply threads