What is domain administrator permissions?

Hi, Actually I am new in this topic but I just want to know what are domain administrator permissions? and should domain administrator(s) be member of administrators built-in group?

Please help.
LVL 3
Abdu_AllahAsked:
Who is Participating?
 
elbereth21Commented:
Basically, members of the Domain Administrators have Full Control permissions on every object of the domain and are automatically members of the Administrators group on each Domain controller and server/workstation of the domain.
0
 
elbereth21Commented:
To elaborate a bit more:
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx
0
 
Abdu_AllahAuthor Commented:
Could domain administrators have a different level of administration?! or this is not possible?
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
Abdu_AllahAuthor Commented:
In other words can domain administrators assigned different permissions?
0
 
elbereth21Commented:
No, all members of the same group share the same permissions. To create different levels of "clearance" you should create different groups and use delegation, to define a profile for each group:
http://computerperformance.co.uk/w2k3/W2K3_OU_Delegate.htm
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx

This article is gives some insight on a practical aspect of user delegation:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
Abdu_AllahAuthor Commented:
Actually what I am trying to do is to determine if specific user is admin or not admin programatecally. The idea that I have is to find if that user is member of administrators built-in group if so then this is domain administrator user, Do you think this is a good idea?
0
 
elbereth21Commented:
If I understand correctly, what you are trying to do, then the answer is no.
IF a user is member of the Domain Admins group, THEN he is also member of the Administrators Group, the reverse is not true.
0
 
elbereth21Commented:
What you could do, is trying to use a piece of code to retrieve the SID of a user, for example look here:
http://vbnet.mvps.org/index.html?code/network/isadministrator.htm
Remember that Domain Admins group has a well known SID:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330
0
 
elbereth21Commented:
Sorry for the multiple post: I also found this tiny piece of software which is able to retrieve group membership in a domain.
http://www.freevbcode.com/ShowCode.Asp?ID=1740
0
 
TheCleanerCommented:
============
The idea that I have is to find if that user is member of administrators built-in group if so then this is domain administrator user, Do you think this is a good idea?
============

Can you explain this statement in more detail?  Are you talking about the built-in administrators group on the domain or on the local workstations?  What are you trying to accomplish?
0
 
Abdu_AllahAuthor Commented:
Actually I have the code that retreive groups' members but what I want to do is to check if the given user is domain admin or not. Now the idea that I have is if someone is domain admin then he must be member of  built-in administrators group on the domain so all what I have to do is to check if that user is member of that group(domain administrators group ) then he is admin.

>Are you talking about the built-in administrators group on the domain or on the local workstations?

Actually I am talking about built-in administrators group on the domain.
0
 
TheCleanerCommented:
in ADUC (dsa.msc) open the built in administrators group and see what it's members are.  If domain admins is in there, then yes, all domain admins are part of the built-in administrators on the domain.

You can also open domain admins in ADUC and see the members.

If you want a CLI version:

dsquery group -name groupname | dsget group -members -expand

where groupname is the name of the group, so administrators and "domain admins"
0
 
Abdu_AllahAuthor Commented:
>in ADUC (dsa.msc) open the built in administrators group and see what it's members are

Sorry but I do not have server at this moment.
0
 
TheCleanerCommented:
You can also get the info from the Command line syntax I posted above.

Also, by "DEFAULT" domain admins is part of the built-in administrators group.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.