Is it true that just because a normal domain account is a member of this group 
on a DC that they do *not* have the same permissions as a domain admin?

I want to know of this statement is correct:
----------------------------------------------------
"If this service account could log on to the DC locally or via RDP (it can't 
due to a GPO we have for service accounts) then it could (in theory) access the 
ADUC console but even then it cannot do anything because since it's not a 
member of Domain Admins or any group allowed delegation.

Example, adding a user account, the ADUC console tests <domain>\<service 
account> against the "allowed to create user account in the domain" ACL, and 
BuiltIn\Administrators isn't on that list.
----------------------------------------------------

What we're trying to do is allow a program that requires local admin rights to 
install a program on a 2003 DC w/out making it a domain admin, and my 
understanding is BuiltIn\Administrators can do this.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to