Administrators is a Domain Local Group that originates in the Builtin
container and by default contains Domain Admins, Enterprise Admins and
the administrator(500) account. Domain Admins is a Global Group that
originates in the Users container, because of the scope,  it's use can
be more widespread and it is included by default in the administrators
group on all member computers in the domain. That also means that you
can add Domain Admins to groups on machines anywhere that trusts the
domain (workstations, servers, other domain's, etc).

 

As far as the "No such thing as a local admin" bit, different people
have different ways of looking at it. Some will say while there is no
single, individual administrator account that is unique to each DC,
others will say the domain administrator(500) account is essentially the
same as the builtin\administrator on a standalone system. Others will
say that each machine indeed has a local account, that being the DSRM
account. Some say there is no SAM on a DC, everything is in AD, actually
there is, that's where the DSRM account lives. All are correct in a
sense depending on your perspective. 

 

The simplest answer is that  there is really no less power in being a
member of the administrators group vs domain admins, look at the ACLs in
your directory and that readily becomes apparent.

 

 

From: Glen Johnson [mailto:[email protected]] 
Sent: Friday, March 05, 2010 10:25 AM
To: NT System Admin Issues
Subject: RE: BuiltIn\Administrators group on a DC

 

I could be all confused, but I thought there are no local users or
groups on a DC, so I'm having a hard time getting my head around the
first sentence in the OP.

Or am I totally missing the question?

I sure can't find a local group or user on ours, or even a way to find
one if it exists.

I found a post on the net that said you could list info using  net
localgroup administrators

I ran that on one of our DCs and it gives the following statement.

 

Comment  Members can fully administer the computer/domain. 

 

And "Net localgroup" lists all domain groups.

Also "net user" lists all domain users.

 

I'm also finding lots of posts that say "There is no such thing as a
local admin on a DC", that is until server 08 R2 and it must be a RODC.

So the end result is an account in the Builtin\Administrators group
would be an administrator on all DCs but "maybe" not the domain.

Now everyone tell me how confused I really am.

 

BTW, these comments are just for my own education.

 

From: Michael B. Smith [mailto:[email protected]] 
Sent: Friday, March 05, 2010 11:42 AM
To: NT System Admin Issues
Subject: RE: BuiltIn\Administrators group on a DC

 

Builtin\administrators require one step - which I'm not going to
document here - to make themselves a domain admin.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: David Lum [mailto:[email protected]] 
Sent: Friday, March 05, 2010 11:39 AM
To: NT System Admin Issues
Subject: BuiltIn\Administrators group on a DC

 

Is it true that just because a normal domain account is a member of this
group on a DC that they do *not* have the same permissions as a domain
admin?

 

I want to know of this statement is correct: 

----------------------------------------------------

"If this service account could log on to the DC locally or via RDP (it
can't due to a GPO we have for service accounts) then it could (in
theory) access the ADUC console but even then it cannot do anything
because since it's not a member of Domain Admins or any group allowed
delegation. 

 

Example, adding a user account, the ADUC console tests <domain>\<service
account> against the "allowed to create user account in the domain" ACL,
and BuiltIn\Administrators isn't on that list.

----------------------------------------------------

 

What we're trying to do is allow a program that requires local admin
rights to install a program on a 2003 DC w/out making it a domain admin,
and my understanding is BuiltIn\Administrators can do this.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to