I have just recently setup a DC with AD. I am the domain admin and I added four people to the "built-in administrator" account within AD under the domain OU. We put one client on the domain and I had one of the four admins test his privileges. He had no more privileges then a domain user. On the client I opened the "Local Users and Groups" and under administrators group the only account listed was local Administrator and XXdomainXX\Domain Admins. So I created a new custom admin group and made it a member of the "Built-in Administrators" group within AD. The I added the newly created AD custom admin group on the client under the "Administrators" group locally. After doing that, the local admins could administrator the computer.
I have two questions:
1. Shouldn't adding users to the built-in admin account give them admin rights locally on the PC when they authenticate on the pc within the domain?
2. If the above is incorrect, then do I have to manually enter the newly created admin group on each PC that is put on the domain?
I know that I can just include the group on a ghost image etc but I would much rather just be able to add my admins to the built-in admin group within AD and be done with it. What am I missing here?
Thanks for your help!
Bookmarks