Administrators is a Domain Local Group that originates in the Builtin container and by default contains Domain Admins, Enterprise Admins and the administrator(500) account. Domain Admins is a Global Group that originates in the Users container, because of the scope, it's use can be more widespread and it is included by default in the administrators group on all member computers in the domain. That also means that you can add Domain Admins to groups on machines anywhere that trusts the domain (workstations, servers, other domain's, etc).
As far as the "No such thing as a local admin" bit, different people have different ways of looking at it. Some will say while there is no single, individual administrator account that is unique to each DC, others will say the domain administrator(500) account is essentially the same as the builtin\administrator on a standalone system. Others will say that each machine indeed has a local account, that being the DSRM account. Some say there is no SAM on a DC, everything is in AD, actually there is, that's where the DSRM account lives. All are correct in a sense depending on your perspective. The simplest answer is that there is really no less power in being a member of the administrators group vs domain admins, look at the ACLs in your directory and that readily becomes apparent. From: Glen Johnson [mailto:[email protected]] Sent: Friday, March 05, 2010 10:25 AM To: NT System Admin Issues Subject: RE: BuiltIn\Administrators group on a DC I could be all confused, but I thought there are no local users or groups on a DC, so I'm having a hard time getting my head around the first sentence in the OP. Or am I totally missing the question? I sure can't find a local group or user on ours, or even a way to find one if it exists. I found a post on the net that said you could list info using net localgroup administrators I ran that on one of our DCs and it gives the following statement. Comment Members can fully administer the computer/domain. And "Net localgroup" lists all domain groups. Also "net user" lists all domain users. I'm also finding lots of posts that say "There is no such thing as a local admin on a DC", that is until server 08 R2 and it must be a RODC. So the end result is an account in the Builtin\Administrators group would be an administrator on all DCs but "maybe" not the domain. Now everyone tell me how confused I really am. BTW, these comments are just for my own education. From: Michael B. Smith [mailto:[email protected]] Sent: Friday, March 05, 2010 11:42 AM To: NT System Admin Issues Subject: RE: BuiltIn\Administrators group on a DC Builtin\administrators require one step - which I'm not going to document here - to make themselves a domain admin. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:[email protected]] Sent: Friday, March 05, 2010 11:39 AM To: NT System Admin Issues Subject: BuiltIn\Administrators group on a DC Is it true that just because a normal domain account is a member of this group on a DC that they do *not* have the same permissions as a domain admin? I want to know of this statement is correct: ---------------------------------------------------- "If this service account could log on to the DC locally or via RDP (it can't due to a GPO we have for service accounts) then it could (in theory) access the ADUC console but even then it cannot do anything because since it's not a member of Domain Admins or any group allowed delegation. Example, adding a user account, the ADUC console tests <domain>\<service account> against the "allowed to create user account in the domain" ACL, and BuiltIn\Administrators isn't on that list. ---------------------------------------------------- What we're trying to do is allow a program that requires local admin rights to install a program on a 2003 DC w/out making it a domain admin, and my understanding is BuiltIn\Administrators can do this. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
