We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

What is domain administrator permissions?

Abdu_Allah
Abdu_Allah asked
on
Medium Priority
1,307 Views
Last Modified: 2006-11-18
Hi, Actually I am new in this topic but I just want to know what are domain administrator permissions? and should domain administrator(s) be member of administrators built-in group?

Please help.
Comment
Watch Question

Basically, members of the Domain Administrators have Full Control permissions on every object of the domain and are automatically members of the Administrators group on each Domain controller and server/workstation of the domain.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
To elaborate a bit more:
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx

Author

Commented:
Could domain administrators have a different level of administration?! or this is not possible?

Author

Commented:
In other words can domain administrators assigned different permissions?
No, all members of the same group share the same permissions. To create different levels of "clearance" you should create different groups and use delegation, to define a profile for each group:
http://computerperformance.co.uk/w2k3/W2K3_OU_Delegate.htm
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx

This article is gives some insight on a practical aspect of user delegation:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

Author

Commented:
Actually what I am trying to do is to determine if specific user is admin or not admin programatecally. The idea that I have is to find if that user is member of administrators built-in group if so then this is domain administrator user, Do you think this is a good idea?
If I understand correctly, what you are trying to do, then the answer is no.
IF a user is member of the Domain Admins group, THEN he is also member of the Administrators Group, the reverse is not true.
What you could do, is trying to use a piece of code to retrieve the SID of a user, for example look here:
http://vbnet.mvps.org/index.html?code/network/isadministrator.htm
Remember that Domain Admins group has a well known SID:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330
Sorry for the multiple post: I also found this tiny piece of software which is able to retrieve group membership in a domain.
http://www.freevbcode.com/ShowCode.Asp?ID=1740
============
The idea that I have is to find if that user is member of administrators built-in group if so then this is domain administrator user, Do you think this is a good idea?
============

Can you explain this statement in more detail?  Are you talking about the built-in administrators group on the domain or on the local workstations?  What are you trying to accomplish?

Author

Commented:
Actually I have the code that retreive groups' members but what I want to do is to check if the given user is domain admin or not. Now the idea that I have is if someone is domain admin then he must be member of  built-in administrators group on the domain so all what I have to do is to check if that user is member of that group(domain administrators group ) then he is admin.

>Are you talking about the built-in administrators group on the domain or on the local workstations?

Actually I am talking about built-in administrators group on the domain.
in ADUC (dsa.msc) open the built in administrators group and see what it's members are.  If domain admins is in there, then yes, all domain admins are part of the built-in administrators on the domain.

You can also open domain admins in ADUC and see the members.

If you want a CLI version:

dsquery group -name groupname | dsget group -members -expand

where groupname is the name of the group, so administrators and "domain admins"

Author

Commented:
>in ADUC (dsa.msc) open the built in administrators group and see what it's members are

Sorry but I do not have server at this moment.
You can also get the info from the Command line syntax I posted above.

Also, by "DEFAULT" domain admins is part of the built-in administrators group.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.