Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Builtin\administrators group vs domain admins group

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 22-01-2008
weaverbeaver
 
Posts: n/a
Builtin\administrators group vs domain admins group

I believe I understand the uses and relevant privileges of the domain admins
group however I am not clear on the builtin\administrators group? Are there
any priveleges which would be lost by moving an account from the domain
admins group to the builtin\administrators group? My new company have
accounts in both groups. Why?

thanks in advance

Reply With Quote
  #2  
Old 22-01-2008
Pegasus \(MVP\)
 
Posts: n/a
Re: Builtin\administrators group vs domain admins group

Domain admins are automatically members of the local
Administrator group but not vice versa. This means that
a local admin has no access to servers or other PCs
unless the account names & passwords are synchronised.
Reply With Quote
  #3  
Old 23-01-2008
Simon
 
Posts: n/a
RE: Builtin\administrators group vs domain admins group

The bultin/administrators group is created by default when you install
Windows. This group has complete and unrestricted access to the computer. By
default the only user account that is a member of this group is Administrator.

The Domain Administrators group is only present in a Windows domain. This
group has complete and unrestricted access to the entire domain, able to
logon to any pc or server that is a member of the domain.

When a pc/server is added to a domain, the domain admins group automatically
becomes a member of the builtin/administrators group, thus providing the
domain administrators administrator-level access to the computer.

If you moved an account from the domin admins group to the
builtin/adminstrators group, that account would be able to administer that
local computer but nothing else, unless you added the account to other
builtin/adminstrators groups.

The best method I have found is for the domain administrators to have a
standard user account and a separate domain administrator account for when
you need admin access across the domain. This prevents making un-intended
changes and also stops a virus from propogating across the network using your
credentials.

Hope all that makes sense, if not let me know.
Reply With Quote
  #4  
Old 24-01-2008
weaverbeaver
 
Posts: n/a
RE: Builtin\administrators group vs domain admins group

Thanks for your reply however my question is more about the Active directory
group called builtin\administrators stored in the builtin OU as opposed to
the local administrators group of a given windows machine

regards
Reply With Quote
  #5  
Old 14-01-2009
Member
 
Join Date: Jan 2009
Posts: 1
In general, it is better not to place users into domain local groups (such as builtin\administrators), but rather into global groups (such as domain admins), which are then placed into local groups.

This is akin to placing users into groups and placing groups into ACLs instead of placing users directly into ACLs. It's just cleaner.

Other limitations include that, in mixed mode, Domain Local Groups cannot be nested and generally apply to the domain controller only (because DLGs do not exist in NT, and therefore might not proliferate properly).

Also, Builtin groups cannot be members of other groups.

The Builtin\administrators group is a shared, local "Administrators" group on all the Domain Controllers.
Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags: , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Builtin\administrators group vs domain admins group"
Thread Thread Starter Forum Replies Last Post
adding another domain user as domain admins group Billie Active Directory 3 19-07-2010 07:57 PM
VB. List the userID from group (Domain Admins set as Primary group) epremyan karapet Software Development 1 12-10-2009 08:26 PM
Domain user to local administrators group alimk Windows Server Help 5 30-09-2009 07:33 PM
Adding group/user to local Admins group on all workstations? IJAYA Window 2000 Help 2 04-07-2008 07:10 AM
Automatically Adding Domain Groups into Local Administrators group Frragrant Active Directory 3 17-06-2008 04:16 PM


All times are GMT +5.5. The time now is 10:01 AM.