Solved

"Domain Controller Builtin\Administrator" VS "Domain Administrator" - whats the difference

Posted on 2006-10-24
4
954 Views
Last Modified: 2008-02-07
Hi All,


I work in a single domain enviroment.


What's the difference between the builting Domain Controller "Builtin\Administrator" and the "Domain Administrator" group.


The reason i ask is we have a lot of users in "Builtin\Administrator" group on the DC


Thanks
0
Comment
Question by:detox1978
  • 2
4 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17798998
EXACLY where are you seeing the builtin\administrator group?
i'm not sure where the "domain administrator" group you are talking about comes from either, b/c in my domain all of the built in groups are called "xxx Admins" without the word administrator spelled out.  This domain has been upgraded from NT4, to 2000 to 2003 so that might be why though.

0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
ID: 17799240
For a file server the built in Administrators group has all the admin permissions and by default when it is added to the domain, Domain Admins gets added to the Local Adminstrators.

For the case of AD, the Built in Administrators group pretty much all the local permission to AD and by default the Domain Admins group is a member of the built in administrators.  Domain Admins\enterprise admins\Schema Admins are given addition permissions to the directory that being a member of the built in administrators won't give you.  Also being in Domain Admins by default gives you admin access to all member machines (desktops\servers).

So essentially,

Members of the built in adminstrators, they can do almost anything to AD user/group/computer objects, But they won't have access to the file servers or desktops.  However, they can add themselves to the Domain Admins group and have access to all computers in the domain.



0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17799346
if you are seeing the 'builting\administrators" on NTFS permissions (the security tab on the properties of a file/folder" then that is the LOCAL admin group.  The domain admin group is a DOMAIN administrator group.  these are two completely different groups.  

>>The reason i ask is we have a lot of users in "Builtin\Administrator" group on the DC
this is what confuses me and why i asked that you explain EXACLY where you saw this.  B/C on a DC, there is no such thing as a local group.

0
 
LVL 2

Author Comment

by:detox1978
ID: 17801718
Thanks Pber, that was what i thought, but wanted it confirmed.


mikeleebrla, mikeleebrla, its in the "Builtin" OU.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question