Builtin\administrators group vs domain admins group

[Guest weaverbeaver]

I believe I understand the uses and relevant privileges of the domain admins

group however I am not clear on the builtin\administrators group? Are there

any priveleges which would be lost by moving an account from the domain

admins group to the builtin\administrators group? My new company have

accounts in both groups. Why?

 

thanks in advance

[Guest Pegasus \(MVP\)]

Re: Builtin\administrators group vs domain admins group

 

 

"weaverbeaver" <weaverbeaver@discussions.microsoft.com> wrote in message

news:0E2134DD-0EF6-4D58-9D4C-F21024F7147E@microsoft.com...

>I believe I understand the uses and relevant privileges of the domain

>admins

> group however I am not clear on the builtin\administrators group? Are

> there

> any priveleges which would be lost by moving an account from the domain

> admins group to the builtin\administrators group? My new company have

> accounts in both groups. Why?

>

> thanks in advance

 

Domain admins are automatically members of the local

Administrator group but not vice versa. This means that

a local admin has no access to servers or other PCs

unless the account names & passwords are synchronised.

[Guest Simon]

RE: Builtin\administrators group vs domain admins group

 

The bultin/administrators group is created by default when you install

Windows. This group has complete and unrestricted access to the computer. By

default the only user account that is a member of this group is Administrator.

 

The Domain Administrators group is only present in a Windows domain. This

group has complete and unrestricted access to the entire domain, able to

logon to any pc or server that is a member of the domain.

 

When a pc/server is added to a domain, the domain admins group automatically

becomes a member of the builtin/administrators group, thus providing the

domain administrators administrator-level access to the computer.

 

If you moved an account from the domin admins group to the

builtin/adminstrators group, that account would be able to administer that

local computer but nothing else, unless you added the account to other

builtin/adminstrators groups.

 

The best method I have found is for the domain administrators to have a

standard user account and a separate domain administrator account for when

you need admin access across the domain. This prevents making un-intended

changes and also stops a virus from propogating across the network using your

credentials.

 

Hope all that makes sense, if not let me know.

 

Simon

 

"weaverbeaver" wrote:

> I believe I understand the uses and relevant privileges of the domain admins

> group however I am not clear on the builtin\administrators group? Are there

> any priveleges which would be lost by moving an account from the domain

> admins group to the builtin\administrators group? My new company have

> accounts in both groups. Why?

>

> thanks in advance

[Guest weaverbeaver]

RE: Builtin\administrators group vs domain admins group

 

Thanks for your reply however my question is more about the Active directory

group called builtin\administrators stored in the builtin OU as opposed to

the local administrators group of a given windows machine

 

regards

 

Karl

 

"Simon" wrote:

> The bultin/administrators group is created by default when you install

> Windows. This group has complete and unrestricted access to the computer. By

> default the only user account that is a member of this group is Administrator.

>

> The Domain Administrators group is only present in a Windows domain. This

> group has complete and unrestricted access to the entire domain, able to

> logon to any pc or server that is a member of the domain.

>

> When a pc/server is added to a domain, the domain admins group automatically

> becomes a member of the builtin/administrators group, thus providing the

> domain administrators administrator-level access to the computer.

>

> If you moved an account from the domin admins group to the

> builtin/adminstrators group, that account would be able to administer that

> local computer but nothing else, unless you added the account to other

> builtin/adminstrators groups.

>

> The best method I have found is for the domain administrators to have a

> standard user account and a separate domain administrator account for when

> you need admin access across the domain. This prevents making un-intended

> changes and also stops a virus from propogating across the network using your

> credentials.

>

> Hope all that makes sense, if not let me know.

>

> Simon

>

> "weaverbeaver" wrote:

>

> > I believe I understand the uses and relevant privileges of the domain admins

> > group however I am not clear on the builtin\administrators group? Are there

> > any priveleges which would be lost by moving an account from the domain

> > admins group to the builtin\administrators group? My new company have

> > accounts in both groups. Why?

> >

> > thanks in advance