Results 1 to 5 of 5

Thread: Builtin\administrators group vs domain admins group

  1. #1
    weaverbeaver Guest

    Builtin\administrators group vs domain admins group

    I believe I understand the uses and relevant privileges of the domain admins
    group however I am not clear on the builtin\administrators group? Are there
    any priveleges which would be lost by moving an account from the domain
    admins group to the builtin\administrators group? My new company have
    accounts in both groups. Why?

    thanks in advance

  2. #2
    Pegasus \(MVP\) Guest

    Re: Builtin\administrators group vs domain admins group

    Domain admins are automatically members of the local
    Administrator group but not vice versa. This means that
    a local admin has no access to servers or other PCs
    unless the account names & passwords are synchronised.

  3. #3
    Simon Guest

    RE: Builtin\administrators group vs domain admins group

    The bultin/administrators group is created by default when you install
    Windows. This group has complete and unrestricted access to the computer. By
    default the only user account that is a member of this group is Administrator.

    The Domain Administrators group is only present in a Windows domain. This
    group has complete and unrestricted access to the entire domain, able to
    logon to any pc or server that is a member of the domain.

    When a pc/server is added to a domain, the domain admins group automatically
    becomes a member of the builtin/administrators group, thus providing the
    domain administrators administrator-level access to the computer.

    If you moved an account from the domin admins group to the
    builtin/adminstrators group, that account would be able to administer that
    local computer but nothing else, unless you added the account to other
    builtin/adminstrators groups.

    The best method I have found is for the domain administrators to have a
    standard user account and a separate domain administrator account for when
    you need admin access across the domain. This prevents making un-intended
    changes and also stops a virus from propogating across the network using your

    Hope all that makes sense, if not let me know.

  4. #4
    weaverbeaver Guest

    RE: Builtin\administrators group vs domain admins group

    Thanks for your reply however my question is more about the Active directory
    group called builtin\administrators stored in the builtin OU as opposed to
    the local administrators group of a given windows machine


  5. #5
    Join Date
    Jan 2009
    In general, it is better not to place users into domain local groups (such as builtin\administrators), but rather into global groups (such as domain admins), which are then placed into local groups.

    This is akin to placing users into groups and placing groups into ACLs instead of placing users directly into ACLs. It's just cleaner.

    Other limitations include that, in mixed mode, Domain Local Groups cannot be nested and generally apply to the domain controller only (because DLGs do not exist in NT, and therefore might not proliferate properly).

    Also, Builtin groups cannot be members of other groups.

    The Builtin\administrators group is a shared, local "Administrators" group on all the Domain Controllers.

Similar Threads

  1. adding another domain user as domain admins group
    By Billie in forum Active Directory
    Replies: 3
    Last Post: 19-07-2010, 07:57 PM
  2. VB. List the userID from group (Domain Admins set as Primary group)
    By epremyan karapet in forum Software Development
    Replies: 1
    Last Post: 12-10-2009, 08:26 PM
  3. Domain user to local administrators group
    By alimk in forum Windows Server Help
    Replies: 5
    Last Post: 30-09-2009, 07:33 PM
  4. Replies: 2
    Last Post: 04-07-2008, 07:10 AM
  5. Replies: 3
    Last Post: 17-06-2008, 04:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts