Solved

administrator and administrators OU's in AD? What are there roles?

Posted on 2004-10-06
8
316 Views
Last Modified: 2010-04-19
I am reading through my administrators guide to windows 2003 and in the "active directory objects" it goes over the different roles, domain admins, domain guests etc.

I noticed it has an "Administrator" and an "Administrators" group. What is the difference? Is one a local admin acccount giving full control on the computer locally and the other a server admin account?

Please explain.
Thanks
0
Comment
Question by:georgecooldude
  • 5
  • 3
8 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 20 total points
Comment Utility
georgecooldude

The ADMINISTRATOR User account is the primary account for administering the domain.

The ADMINSTRATORS group is a group of users that CAN administer the domain - you can add any user account to this group that you wish to use as an administrator account.

So, if more than one person needs to administer the domain, you add them to the GROUP. If only one person needs the rights, then they could just use the USER account.

Cheers

JamesDS
0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
ok thanks!

There are 3 of us who I would like to be administrators. I'll ass us all to the administrators group. I assume this means I don't need to do anything to the Administrator user
0
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
georgecooldude
Yup, exactly right.

Store the password for the Administrator account in a safe place, just in case you need it.

Cheers

JamesDS
0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
Thanks JamesDS,

With this account  do I also have control locally on the computer I logged in with?

I tryed something similar before but was unable to change such settings as the system time.

I know with NT server if you were a member of the administrators group you could do what you liked. It seems and i may be wrong here but to adjust settings locally on computers I have to setup a local administer account on the computer and cannot use my account on the windows 2003 server to adjust things specific to the local computer. Is there a way around this as I dont have time to create local admin accounts on our 100 or so PC's.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
georgecooldude

The Local Machine is not same security boundary as the Domain.

Make the "Domain Admins" group a member of the local Administrators group on the workstation and then join your administrative user account to the Domain Admins group.

Cheers

JamesDS
0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
"Make the "Domain Admins" group a member of the local Administrators group on the workstation"

Where can this be done on a windows XP Pro machine? I am logged in under a windows NT server administrator account. Should I log in as the local administrator account?
0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
ok i think i found it.

Its in control panel, then users, and then I click the advanced tab and then the advanced management option. I then get a new box pop up with:

Local users and groups.
 - users
 - groups

I guess I should add the domain admins to the "groups" bit then. :-)
0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
Ah, I've found my answer. :)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now