- Article
Question
Wednesday, January 4, 2012 4:34 AM
What's the different between builtin local/administrators and Domain Admins in AD 2003?
I don't mean the local/administrators acount in the server but the one that we find in AD in Builin container.
All replies (13)
Wednesday, January 4, 2012 5:42 AM ✅Answered | 1 vote
Built-in administrator account deals with the local machine while domain admin is with Domain. Most of the time local administrative account is required when there is network logon problem or some issue with domain admin account. so that atleast u can logon to the local server/PC and configure it.
Domain Admin is more powerful.
These are 2 groups.The "administrators" group is a local group which deals with the local machine. If you want a user to be abe to administer only his machine and no one else's, then you would place the user in the "administrators" group of that machine.
The "domain administrators" group is a global group.By default, the domain administrators global group is placed in the local "administrators" group of all computers within the domain. So, by default, domain administrators can administer any machine within the domain.
There is a local "administrators" group that is also created on all domain controller servers. If a user is placed in this group, then this user can administer any domain controller within the domain. This is because all domain controllers utilize the same security database. This user would not be allowed to administer a member server or workstation within the domain, just the domain controllers.
Refer below link for more info:
http://serverfault.com/questions/174200/domain-admins-vs-administrators-in-windows-ad-dc
http://hardforum.com/archive/index.php/t-712393.html
Hope this helps
Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
My Blog: http://sandeshdubey.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
Wednesday, January 4, 2012 6:58 AM ✅Answered
Hi SAMATA
Yes you are correct if domain user is added to "Domainadministrators group" in ADthis user cancontrol all domain controllers and also users securities in AD.
Hope this helps
Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
My Blog: http://sandeshdubey.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights
Wednesday, January 4, 2012 10:08 AM ✅Answered
That's correct - domain local Administrators group (which exists on all domain controllers in a given domain) has full administrative rights to all AD objects - in addition to full administrative rights to all domain controller computers (i.e. Operating System-level privileges).
However, domain local Administrators group does NOT have OS-level admin privileges to any non-DC member computers in the domain. This is where Domain Admins come into play.
In addition, some of the tasks (e.g. adprep /domainprep) require membership in Domain Admins group
hth
Marcin
Wednesday, January 4, 2012 5:13 AM | 1 vote
Hi.
Please see the following link that explains the difference, the domain admins group are automatically being added to the local administrators group of all member computers/server being added to the particular domain, administrators group are not. However both gives unlimited access to the forest/domain so the two groups should really contain the same members from a trustworthy perspective.
http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
Enfo Zipper
Christoffer Andersson – Principal Advisor
"SAMATA" wrote in message news:7866aacc-d6b8-412e-ab1e-69d152d1c7c4...
What's the different between builtin local/administrators and Domain Admins in AD 2003?
I don't mean the local/administrators acount in the server but the one that we find in AD in Builin container.
Enfo Zipper Christoffer Andersson – Principal Advisor
Wednesday, January 4, 2012 5:23 AM
Administrators and Domain Adminsare security groups in AD.
Administrators (security group)have highest power in domain .
But Domain admins are security groups that are Designated administrators of the domain andDomain Admins can be amember of administrators.
.. Amaresh Shukla, Sr Technical Support Engineer MCSE
Wednesday, January 4, 2012 5:26 AM
In fact what I still don't undertsand is **builtin local/administrators in Active Directory** and local/administrators in server. Are they the same?
Wednesday, January 4, 2012 5:48 AM
OK I see...
That what I need this part:
"There is a local "administrators" group that is also created on all domain controller servers. If a user is placed in this group, then this user can administer any domain controller within the domain. This is because all domain controllers utilize the same security database. This user would not be allowed to administer a member server or workstation within the domain, just the domain controllers. "
If the "local administrators group" in AD can control all domain controllers, alsodoes it mean it can administers the users securities in AD?
Wednesday, January 4, 2012 5:54 AM
If the server is a domain Controller, there is no any local administrators
But in case of member servers, there is local administrators and it is different from domain administrators, these local administrators only have local system full access.
.. Amaresh Shukla, Sr Technical Support Engineer MCSE
Wednesday, January 4, 2012 5:58 AM
and as Sandesh exlpained if the "local administrators group" in AD can control all domain controllers, also does it mean it can administers the users securities in AD?
Wednesday, January 4, 2012 6:04 AM
I think this "local administrators group" in AD is basically"Domain local administrators group" in AD.
.. Amaresh Shukla, Sr Technical Support Engineer MCSE
Wednesday, January 4, 2012 9:19 AM
I don't know whether you used the term local administrator for DC or local system account.
Local administrator account is specific to the local system which grant full control of the system irrespective any limit/policy defined.
Administrators and Domain admin account provides similar functionality for single forest/domain. Domain admin is almost everything in single forest/domain they can make themselves member of any group or remove anyone from any group.
http://www.techrepublic.com/forum/questions/101-203574
Regards
Awinish Vishwakarma
**MY BLOG: **awinish.wordpress.com
This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Wednesday, January 4, 2012 7:10 PM
Many thanks for the explanations everybody!
Wednesday, January 4, 2012 7:11 PM
Thanks!