Builtin\administrators group vs domain admins group
I believe I understand the uses and relevant privileges of the domain admins
group however I am not clear on the builtin\administrators group? Are there
any priveleges which would be lost by moving an account from the domain
admins group to the builtin\administrators group? My new company have
accounts in both groups. Why?
thanks in advance
Re: Builtin\administrators group vs domain admins group
Domain admins are automatically members of the local
Administrator group but not vice versa. This means that
a local admin has no access to servers or other PCs
unless the account names & passwords are synchronised.
RE: Builtin\administrators group vs domain admins group
The bultin/administrators group is created by default when you install
Windows. This group has complete and unrestricted access to the computer. By
default the only user account that is a member of this group is Administrator.
The Domain Administrators group is only present in a Windows domain. This
group has complete and unrestricted access to the entire domain, able to
logon to any pc or server that is a member of the domain.
When a pc/server is added to a domain, the domain admins group automatically
becomes a member of the builtin/administrators group, thus providing the
domain administrators administrator-level access to the computer.
If you moved an account from the domin admins group to the
builtin/adminstrators group, that account would be able to administer that
local computer but nothing else, unless you added the account to other
builtin/adminstrators groups.
The best method I have found is for the domain administrators to have a
standard user account and a separate domain administrator account for when
you need admin access across the domain. This prevents making un-intended
changes and also stops a virus from propogating across the network using your
credentials.
Hope all that makes sense, if not let me know.
RE: Builtin\administrators group vs domain admins group
Thanks for your reply however my question is more about the Active directory
group called builtin\administrators stored in the builtin OU as opposed to
the local administrators group of a given windows machine
regards