What is domain administrator permissions?

Hi, Actually I am new in this topic but I just want to know what are domain administrator permissions? and should domain administrator(s) be member of administrators built-in group?

Please help.
LVL 3
Abdu_AllahAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

elbereth21Commented:
Basically, members of the Domain Administrators have Full Control permissions on every object of the domain and are automatically members of the Administrators group on each Domain controller and server/workstation of the domain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
elbereth21Commented:
To elaborate a bit more:
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx
Abdu_AllahAuthor Commented:
Could domain administrators have a different level of administration?! or this is not possible?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Abdu_AllahAuthor Commented:
In other words can domain administrators assigned different permissions?
elbereth21Commented:
No, all members of the same group share the same permissions. To create different levels of "clearance" you should create different groups and use delegation, to define a profile for each group:
http://computerperformance.co.uk/w2k3/W2K3_OU_Delegate.htm
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx

This article is gives some insight on a practical aspect of user delegation:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm
Abdu_AllahAuthor Commented:
Actually what I am trying to do is to determine if specific user is admin or not admin programatecally. The idea that I have is to find if that user is member of administrators built-in group if so then this is domain administrator user, Do you think this is a good idea?
elbereth21Commented:
If I understand correctly, what you are trying to do, then the answer is no.
IF a user is member of the Domain Admins group, THEN he is also member of the Administrators Group, the reverse is not true.
elbereth21Commented:
What you could do, is trying to use a piece of code to retrieve the SID of a user, for example look here:
http://vbnet.mvps.org/index.html?code/network/isadministrator.htm
Remember that Domain Admins group has a well known SID:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330
elbereth21Commented:
Sorry for the multiple post: I also found this tiny piece of software which is able to retrieve group membership in a domain.
http://www.freevbcode.com/ShowCode.Asp?ID=1740
TheCleanerCommented:
============
The idea that I have is to find if that user is member of administrators built-in group if so then this is domain administrator user, Do you think this is a good idea?
============

Can you explain this statement in more detail?  Are you talking about the built-in administrators group on the domain or on the local workstations?  What are you trying to accomplish?
Abdu_AllahAuthor Commented:
Actually I have the code that retreive groups' members but what I want to do is to check if the given user is domain admin or not. Now the idea that I have is if someone is domain admin then he must be member of  built-in administrators group on the domain so all what I have to do is to check if that user is member of that group(domain administrators group ) then he is admin.

>Are you talking about the built-in administrators group on the domain or on the local workstations?

Actually I am talking about built-in administrators group on the domain.
TheCleanerCommented:
in ADUC (dsa.msc) open the built in administrators group and see what it's members are.  If domain admins is in there, then yes, all domain admins are part of the built-in administrators on the domain.

You can also open domain admins in ADUC and see the members.

If you want a CLI version:

dsquery group -name groupname | dsget group -members -expand

where groupname is the name of the group, so administrators and "domain admins"
Abdu_AllahAuthor Commented:
>in ADUC (dsa.msc) open the built in administrators group and see what it's members are

Sorry but I do not have server at this moment.
TheCleanerCommented:
You can also get the info from the Command line syntax I posted above.

Also, by "DEFAULT" domain admins is part of the built-in administrators group.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.