Yeah, that's not quite true.

A DC still has a local SAM. For example, that's where the DS Restore Mode users 
and passwords are stored. The local SAM is the one that existed at the time the 
DC was promoted.

There are also a number of local groups - called BUILTIN groups. Go into ADUC. 
You'll see the Builtin container. Builtin groups are shared on EVERY DC IN A 
DOMAIN. So if you put an account into a builtin group on any DC, that account 
will be in the Builtin group on every DC. And specifically for the 
Builtin\Administrators group, the description (accurately) is "Administrators 
have complete and unrestricted access to the computer/domain".

You'll note that the Builtin\Administrators group includes Domain Admins, 
Enterprise Admins, and some Exchange groups if you have Exchange installed.

What people are raising the DISTINCTION BETWEEN is logging in using local users 
- which you can't do on a DC that isn't in recovery mode or safe mode - and 
assigning permissions to local (Builtin) groups; which you absolutely CAN do.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Glen Johnson [mailto:[email protected]]
Sent: Friday, March 05, 2010 1:25 PM
To: NT System Admin Issues
Subject: RE: BuiltIn\Administrators group on a DC

I could be all confused, but I thought there are no local users or groups on a 
DC, so I'm having a hard time getting my head around the first sentence in the 
OP.
Or am I totally missing the question?
I sure can't find a local group or user on ours, or even a way to find one if 
it exists.
I found a post on the net that said you could list info using  net localgroup 
administrators
I ran that on one of our DCs and it gives the following statement.

Comment  Members can fully administer the computer/domain.

And "Net localgroup" lists all domain groups.
Also "net user" lists all domain users.

I'm also finding lots of posts that say "There is no such thing as a local 
admin on a DC", that is until server 08 R2 and it must be a RODC.
So the end result is an account in the Builtin\Administrators group would be an 
administrator on all DCs but "maybe" not the domain.
Now everyone tell me how confused I really am.

BTW, these comments are just for my own education.

From: Michael B. Smith [mailto:[email protected]]
Sent: Friday, March 05, 2010 11:42 AM
To: NT System Admin Issues
Subject: RE: BuiltIn\Administrators group on a DC

Builtin\administrators require one step - which I'm not going to document here 
- to make themselves a domain admin.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: David Lum [mailto:[email protected]]
Sent: Friday, March 05, 2010 11:39 AM
To: NT System Admin Issues
Subject: BuiltIn\Administrators group on a DC

Is it true that just because a normal domain account is a member of this group 
on a DC that they do *not* have the same permissions as a domain admin?

I want to know of this statement is correct:
----------------------------------------------------
"If this service account could log on to the DC locally or via RDP (it can't 
due to a GPO we have for service accounts) then it could (in theory) access the 
ADUC console but even then it cannot do anything because since it's not a 
member of Domain Admins or any group allowed delegation.

Example, adding a user account, the ADUC console tests <domain>\<service 
account> against the "allowed to create user account in the domain" ACL, and 
BuiltIn\Administrators isn't on that list.
----------------------------------------------------

What we're trying to do is allow a program that requires local admin rights to 
install a program on a 2003 DC w/out making it a domain admin, and my 
understanding is BuiltIn\Administrators can do this.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764














~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to