Builtin\administrators group vs domain admins group

Discussion in 'Windows Server' started by weaverbeaver, Jan 21, 2008.

  1. weaverbeaver

    weaverbeaver Guest

    I believe I understand the uses and relevant privileges of the domain admins
    group however I am not clear on the builtin\administrators group? Are there
    any priveleges which would be lost by moving an account from the domain
    admins group to the builtin\administrators group? My new company have
    accounts in both groups. Why?

    thanks in advance
     
    weaverbeaver, Jan 21, 2008
    #1
    1. Advertisements

  2. Domain admins are automatically members of the local
    Administrator group but not vice versa. This means that
    a local admin has no access to servers or other PCs
    unless the account names & passwords are synchronised.
     
    Pegasus \(MVP\), Jan 21, 2008
    #2
    1. Advertisements

  3. weaverbeaver

    Simon Guest

    The bultin/administrators group is created by default when you install
    Windows. This group has complete and unrestricted access to the computer. By
    default the only user account that is a member of this group is Administrator.

    The Domain Administrators group is only present in a Windows domain. This
    group has complete and unrestricted access to the entire domain, able to
    logon to any pc or server that is a member of the domain.

    When a pc/server is added to a domain, the domain admins group automatically
    becomes a member of the builtin/administrators group, thus providing the
    domain administrators administrator-level access to the computer.

    If you moved an account from the domin admins group to the
    builtin/adminstrators group, that account would be able to administer that
    local computer but nothing else, unless you added the account to other
    builtin/adminstrators groups.

    The best method I have found is for the domain administrators to have a
    standard user account and a separate domain administrator account for when
    you need admin access across the domain. This prevents making un-intended
    changes and also stops a virus from propogating across the network using your
    credentials.

    Hope all that makes sense, if not let me know.

    Simon
     
    Simon, Jan 23, 2008
    #3
  4. weaverbeaver

    weaverbeaver Guest

    Thanks for your reply however my question is more about the Active directory
    group called builtin\administrators stored in the builtin OU as opposed to
    the local administrators group of a given windows machine

    regards

    Karl
     
    weaverbeaver, Jan 23, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.