Guest weaverbeaver Posted January 21, 2008 Posted January 21, 2008 I believe I understand the uses and relevant privileges of the domain admins group however I am not clear on the builtin\administrators group? Are there any priveleges which would be lost by moving an account from the domain admins group to the builtin\administrators group? My new company have accounts in both groups. Why? thanks in advance
Guest Pegasus \(MVP\) Posted January 21, 2008 Posted January 21, 2008 Re: Builtin\administrators group vs domain admins group "weaverbeaver" <weaverbeaver@discussions.microsoft.com> wrote in message news:0E2134DD-0EF6-4D58-9D4C-F21024F7147E@microsoft.com... >I believe I understand the uses and relevant privileges of the domain >admins > group however I am not clear on the builtin\administrators group? Are > there > any priveleges which would be lost by moving an account from the domain > admins group to the builtin\administrators group? My new company have > accounts in both groups. Why? > > thanks in advance Domain admins are automatically members of the local Administrator group but not vice versa. This means that a local admin has no access to servers or other PCs unless the account names & passwords are synchronised.
Guest Simon Posted January 23, 2008 Posted January 23, 2008 RE: Builtin\administrators group vs domain admins group The bultin/administrators group is created by default when you install Windows. This group has complete and unrestricted access to the computer. By default the only user account that is a member of this group is Administrator. The Domain Administrators group is only present in a Windows domain. This group has complete and unrestricted access to the entire domain, able to logon to any pc or server that is a member of the domain. When a pc/server is added to a domain, the domain admins group automatically becomes a member of the builtin/administrators group, thus providing the domain administrators administrator-level access to the computer. If you moved an account from the domin admins group to the builtin/adminstrators group, that account would be able to administer that local computer but nothing else, unless you added the account to other builtin/adminstrators groups. The best method I have found is for the domain administrators to have a standard user account and a separate domain administrator account for when you need admin access across the domain. This prevents making un-intended changes and also stops a virus from propogating across the network using your credentials. Hope all that makes sense, if not let me know. Simon "weaverbeaver" wrote: > I believe I understand the uses and relevant privileges of the domain admins > group however I am not clear on the builtin\administrators group? Are there > any priveleges which would be lost by moving an account from the domain > admins group to the builtin\administrators group? My new company have > accounts in both groups. Why? > > thanks in advance
Guest weaverbeaver Posted January 23, 2008 Posted January 23, 2008 RE: Builtin\administrators group vs domain admins group Thanks for your reply however my question is more about the Active directory group called builtin\administrators stored in the builtin OU as opposed to the local administrators group of a given windows machine regards Karl "Simon" wrote: > The bultin/administrators group is created by default when you install > Windows. This group has complete and unrestricted access to the computer. By > default the only user account that is a member of this group is Administrator. > > The Domain Administrators group is only present in a Windows domain. This > group has complete and unrestricted access to the entire domain, able to > logon to any pc or server that is a member of the domain. > > When a pc/server is added to a domain, the domain admins group automatically > becomes a member of the builtin/administrators group, thus providing the > domain administrators administrator-level access to the computer. > > If you moved an account from the domin admins group to the > builtin/adminstrators group, that account would be able to administer that > local computer but nothing else, unless you added the account to other > builtin/adminstrators groups. > > The best method I have found is for the domain administrators to have a > standard user account and a separate domain administrator account for when > you need admin access across the domain. This prevents making un-intended > changes and also stops a virus from propogating across the network using your > credentials. > > Hope all that makes sense, if not let me know. > > Simon > > "weaverbeaver" wrote: > > > I believe I understand the uses and relevant privileges of the domain admins > > group however I am not clear on the builtin\administrators group? Are there > > any priveleges which would be lost by moving an account from the domain > > admins group to the builtin\administrators group? My new company have > > accounts in both groups. Why? > > > > thanks in advance
Recommended Posts