True difference between Domain Admin grp and Administrators Group

Discussion in 'Windows Server' started by Rob, Apr 6, 2005.

  1. Rob

    Rob Guest

    All.

    I am trying to come up with a true reason adn difference between the
    Administrators group and the Domain Admins group. OTHER THAN... the fact that
    Administrators have local access and control. If in the Domain Admins what
    else do they lose??

    Also.. What the heirarchy of all teh Built in user groups..

    Thanks

    r
     
    Rob, Apr 6, 2005
    #1
    1. Advertisements

  2. The answer is: They lose nothing. The domain admin group
    is a member of the domain "administrator" group by default.
    I can think of one main difference off the top of my head:
    The domain admin group not only has local administrator
    access to all DCs like the domain "administrator" group but
    it also has local "administrative" access to all domain members
    as well. When a computer joins the domain the domain admin
    group is automatically added to the local "administrators" group.
    The domain "administrators" group is a local group and the
    "domain admin" group is a global group. Below is the official
    explaination from Windows Server 2003 Help and Support:


    Domain Admins

    Description:
    Members of this group have full control of the domain. By default, this
    group is a member of the Administrators group on all domain controllers, all
    domain workstations, and all domain member servers at the time they are
    joined to the domain. By default, the Administrator account is a member of
    this group. Because the group has full control in the domain, add users with
    caution.

    Default User Rights:

    Access this computer from the network; Adjust memory quotas for a process;
    Back up files and directories; Bypass traverse checking; Change the system
    time; Create a pagefile; Debug programs; Enable computer and user accounts
    to be trusted for delegation; Force a shutdown from a remote system;
    Increase scheduling priority; Load and unload device drivers; Allow log on
    locally; Manage auditing and security log; Modify firmware environment
    values; Profile single process; Profile system performance; Remove computer
    from docking station; Restore files and directories; Shut down the system;
    Take ownership of files or other objects.


    Administrators
    Description:
    Members of this group have full control of all domain controllers in the
    domain. By default, the Domain Admins and Enterprise Admins groups are
    members of the Administrators group. The Administrator account is also a
    default member. Because this group has full control in the domain, add users
    with caution.

    Default User rights:
    Access this computer from the network; Adjust memory quotas for a process;
    Back up files and directories; Bypass traverse checking; Change the system
    time; Create a pagefile; Debug programs; Enable computer and user accounts
    to be trusted for delegation; Force a shutdown from a remote system;
    Increase scheduling priority; Load and unload device drivers; Allow log on
    locally; Manage auditing and security log; Modify firmware environment
    values; Profile single process; Profile system performance; Remove computer
    from docking station; Restore files and directories; Shut down the system;
    Take ownership of files or other objects.
     
    Michael Giorgio - MS MVP, Apr 6, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.