Is it true that just because a normal domain account is a member of this group on a DC that they do *not* have the same permissions as a domain admin?
I want to know of this statement is correct: ---------------------------------------------------- "If this service account could log on to the DC locally or via RDP (it can't due to a GPO we have for service accounts) then it could (in theory) access the ADUC console but even then it cannot do anything because since it's not a member of Domain Admins or any group allowed delegation. Example, adding a user account, the ADUC console tests <domain>\<service account> against the "allowed to create user account in the domain" ACL, and BuiltIn\Administrators isn't on that list. ---------------------------------------------------- What we're trying to do is allow a program that requires local admin rights to install a program on a 2003 DC w/out making it a domain admin, and my understanding is BuiltIn\Administrators can do this. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
