Spoilsport! Heh.
On Fri, Mar 5, 2010 at 08:41, Michael B. Smith <[email protected]> wrote: > Builtin\administrators require one step – which I’m not going to document > here – to make themselves a domain admin. > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > From: David Lum [mailto:[email protected]] > Sent: Friday, March 05, 2010 11:39 AM > To: NT System Admin Issues > Subject: BuiltIn\Administrators group on a DC > > > > Is it true that just because a normal domain account is a member of this > group on a DC that they do *not* have the same permissions as a domain > admin? > > > > I want to know of this statement is correct: > > ---------------------------------------------------- > > “If this service account could log on to the DC locally or via RDP (it can’t > due to a GPO we have for service accounts) then it could (in theory) access > the ADUC console but even then it cannot do anything because since it’s not > a member of Domain Admins or any group allowed delegation. > > > > Example, adding a user account, the ADUC console tests <domain>\<service > account> against the “allowed to create user account in the domain” ACL, and > BuiltIn\Administrators isn’t on that list. > > ---------------------------------------------------- > > > > What we’re trying to do is allow a program that requires local admin rights > to install a program on a 2003 DC w/out making it a domain admin, and my > understanding is BuiltIn\Administrators can do this. > > David Lum // SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 // (Cell) 503.267.9764 > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
