Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

What is domain administrator permissions?

Posted on 2006-03-20
14
Medium Priority
?
1,267 Views
Last Modified: 2006-11-18
Hi, Actually I am new in this topic but I just want to know what are domain administrator permissions? and should domain administrator(s) be member of administrators built-in group?

Please help.
0
Comment
Question by:Abdu_Allah
  • 6
  • 5
  • 3
14 Comments
 
LVL 11

Accepted Solution

by:
elbereth21 earned 1600 total points
ID: 16234989
Basically, members of the Domain Administrators have Full Control permissions on every object of the domain and are automatically members of the Administrators group on each Domain controller and server/workstation of the domain.
0
 
LVL 11

Assisted Solution

by:elbereth21
elbereth21 earned 1600 total points
ID: 16235051
To elaborate a bit more:
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx
0
 
LVL 3

Author Comment

by:Abdu_Allah
ID: 16235236
Could domain administrators have a different level of administration?! or this is not possible?
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 3

Author Comment

by:Abdu_Allah
ID: 16235268
In other words can domain administrators assigned different permissions?
0
 
LVL 11

Assisted Solution

by:elbereth21
elbereth21 earned 1600 total points
ID: 16235329
No, all members of the same group share the same permissions. To create different levels of "clearance" you should create different groups and use delegation, to define a profile for each group:
http://computerperformance.co.uk/w2k3/W2K3_OU_Delegate.htm
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx

This article is gives some insight on a practical aspect of user delegation:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 3

Author Comment

by:Abdu_Allah
ID: 16235476
Actually what I am trying to do is to determine if specific user is admin or not admin programatecally. The idea that I have is to find if that user is member of administrators built-in group if so then this is domain administrator user, Do you think this is a good idea?
0
 
LVL 11

Expert Comment

by:elbereth21
ID: 16235535
If I understand correctly, what you are trying to do, then the answer is no.
IF a user is member of the Domain Admins group, THEN he is also member of the Administrators Group, the reverse is not true.
0
 
LVL 11

Assisted Solution

by:elbereth21
elbereth21 earned 1600 total points
ID: 16235686
What you could do, is trying to use a piece of code to retrieve the SID of a user, for example look here:
http://vbnet.mvps.org/index.html?code/network/isadministrator.htm
Remember that Domain Admins group has a well known SID:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330
0
 
LVL 11

Assisted Solution

by:elbereth21
elbereth21 earned 1600 total points
ID: 16235778
Sorry for the multiple post: I also found this tiny piece of software which is able to retrieve group membership in a domain.
http://www.freevbcode.com/ShowCode.Asp?ID=1740
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16235811
============
The idea that I have is to find if that user is member of administrators built-in group if so then this is domain administrator user, Do you think this is a good idea?
============

Can you explain this statement in more detail?  Are you talking about the built-in administrators group on the domain or on the local workstations?  What are you trying to accomplish?
0
 
LVL 3

Author Comment

by:Abdu_Allah
ID: 16236143
Actually I have the code that retreive groups' members but what I want to do is to check if the given user is domain admin or not. Now the idea that I have is if someone is domain admin then he must be member of  built-in administrators group on the domain so all what I have to do is to check if that user is member of that group(domain administrators group ) then he is admin.

>Are you talking about the built-in administrators group on the domain or on the local workstations?

Actually I am talking about built-in administrators group on the domain.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16236214
in ADUC (dsa.msc) open the built in administrators group and see what it's members are.  If domain admins is in there, then yes, all domain admins are part of the built-in administrators on the domain.

You can also open domain admins in ADUC and see the members.

If you want a CLI version:

dsquery group -name groupname | dsget group -members -expand

where groupname is the name of the group, so administrators and "domain admins"
0
 
LVL 3

Author Comment

by:Abdu_Allah
ID: 16236257
>in ADUC (dsa.msc) open the built in administrators group and see what it's members are

Sorry but I do not have server at this moment.
0
 
LVL 23

Assisted Solution

by:TheCleaner
TheCleaner earned 400 total points
ID: 16236410
You can also get the info from the Command line syntax I posted above.

Also, by "DEFAULT" domain admins is part of the built-in administrators group.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Learn about cloud computing and its benefits for small business owners.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Loops Section Overview

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question