Printable View
I believe I understand the uses and relevant privileges of the domain admins
group however I am not clear on the builtin\administrators group? Are there
any priveleges which would be lost by moving an account from the domain
admins group to the builtin\administrators group? My new company have
accounts in both groups. Why?
thanks in advance
Domain admins are automatically members of the local
Administrator group but not vice versa. This means that
a local admin has no access to servers or other PCs
unless the account names & passwords are synchronised.
The bultin/administrators group is created by default when you install
Windows. This group has complete and unrestricted access to the computer. By
default the only user account that is a member of this group is Administrator.
The Domain Administrators group is only present in a Windows domain. This
group has complete and unrestricted access to the entire domain, able to
logon to any pc or server that is a member of the domain.
When a pc/server is added to a domain, the domain admins group automatically
becomes a member of the builtin/administrators group, thus providing the
domain administrators administrator-level access to the computer.
If you moved an account from the domin admins group to the
builtin/adminstrators group, that account would be able to administer that
local computer but nothing else, unless you added the account to other
builtin/adminstrators groups.
The best method I have found is for the domain administrators to have a
standard user account and a separate domain administrator account for when
you need admin access across the domain. This prevents making un-intended
changes and also stops a virus from propogating across the network using your
credentials.
Hope all that makes sense, if not let me know.
Thanks for your reply however my question is more about the Active directory
group called builtin\administrators stored in the builtin OU as opposed to
the local administrators group of a given windows machine
regards
In general, it is better not to place users into domain local groups (such as builtin\administrators), but rather into global groups (such as domain admins), which are then placed into local groups.
This is akin to placing users into groups and placing groups into ACLs instead of placing users directly into ACLs. It's just cleaner.
Other limitations include that, in mixed mode, Domain Local Groups cannot be nested and generally apply to the domain controller only (because DLGs do not exist in NT, and therefore might not proliferate properly).
Also, Builtin groups cannot be members of other groups.
The Builtin\administrators group is a shared, local "Administrators" group on all the Domain Controllers.