Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

difference between built-in administrator account and admin equivalent accounts

Posted on 2011-03-17
13
Medium Priority
?
2,806 Views
Last Modified: 2012-05-11
What if any differences are there between the built-in administrator account in Windows e.g. Windows 2008 and an admin equivalent account? For instance let's say I put a user - admin2 - in the Domain Admins group - what differences would there be between the two accounts?
0
Comment
Question by:lineonecorp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 13

Accepted Solution

by:
AustinComputerLabs earned 856 total points
ID: 35162283
the built in administrator is a member of roughly 9 administrative groups.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 35162308
the above is true  but in theory  as long as your a member of th administrators group you have the same access as administrator so domain admin has the same access as  the administrator  because he is also a member of administrators security group
0
 
LVL 5

Assisted Solution

by:Armenio
Armenio earned 172 total points
ID: 35162315
their are some subtle differences but they will only come into play when you start doing things like migrating the domain and stuff but for most of your admin tasks they as essentially the same
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 856 total points
ID: 35162355
The domain admin will have administrators access on every PC on the domain.
0
 
LVL 2

Assisted Solution

by:temores
temores earned 172 total points
ID: 35162496
Administrative accounts in an Active Directory domain include:
The Administrator account, which is created when Active Directory is installed on the first domain controller in the domain. This is the most powerful account in the domain. The person who installs Active Directory on the computer creates the password for this account during installation.
 
Any accounts that you later create and either place in a group that has administrative privileges or directly assign administrative privileges.
 
Administrative groups in an Active Directory domain vary depending on the services that you have installed in your domain. Those used specifically for administering Active Directory include:
 
Administrative groups that are automatically created in the Builtin container.

Administrative groups that are automatically created in the Users container.

Any groups that you later create and either place in another group that has administrative privileges or directly assign administrative privileges.



Administrators
This group has complete control over all domain controllers and all directory content stored in the domain, and it can change the membership of all administrative groups in the domain. It is the most powerful service administrative group.
 
Domain Admins
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
 
0
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 856 total points
ID: 35162651
@temores An excellent description, you should site your source when using content from others.

The above description was from:
http://technet.microsoft.com/en-us/library/cc700835.aspx

I had my hand slapped by an EE admin when I forgot to site my source.
0
 

Author Comment

by:lineonecorp
ID: 35163419
Some very good reading here but ....
It seems to me that they are suggesting that we do all kinds of things not to use the built-in admin account - hide, rename, etc. - and use an account that has been put in the Domain Admin's group to do all Admin work. Well if there are some things that this 'Domain Admin equivalent' can't do that the admin can do it would be good to know what they are. So is that the case - an account that is made part of Domain Admins still can't do everything that the default Administrator for the domain created at installation time can do? If so, I would like to know what those 'subtle differences (per armeniospinola) are.
0
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 856 total points
ID: 35166111
If you are securing your server one of the easiest things you can do is rename, disable or otherwise hide the default administrator account. Part of the reason is that if someone is attempting to access the server and they already know the username of an account with full access they have a significant advantage.
If you create a user that is in all the same groups as the administrator account, it will have all the rights that depend on group membership as the administrator's account.
0
 

Author Comment

by:lineonecorp
ID: 35167991
"If you create a user that is in all the same groups as the administrator account, it will have all the rights that depend on group membership as the administrator's account."

Putting the admin equivalent user in the Domain Admins account isn't good enough, I take it? I need to put the user explictly into other security groups? These are per your earlier comment:
"the built in administrator is a member of roughly 9 administrative groups."

Is this list enumerated comprehensively somewhere? Are the 8 I see in the article you linked to some of those 9:

Enterprise Admins
Schema Admins
Administrators
Domain Admins
Server Operators
Account Operators
Backup Operators
DS Restore Mode Administrator

Do you know of any additional groups that the default administrator account would be a member of?

In summary assuming the above are 8 of the roughly 9 you mention, is it the case that I need to add the admin equivalent explicitly to each group e.g. they don't automatically get membership/similar rights  just because they are domain admins e.g. they couldn't do a DS Restore after I place them in the Domain Admins group?
0
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 856 total points
ID: 35168992
that is the default ones.
Some of them will be seldom if ever needed, but that is a user with the same rights (by group membership) as the built in administrator.
0
 

Author Comment

by:lineonecorp
ID: 35170364
Thanks. Just curious where you got the '9' from?
0
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35170463
From one of my servers. After I posted it I realized one was a security group that I added, so 8 is correct to start with.
0
 

Author Comment

by:lineonecorp
ID: 35187708
Great. Thanks.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question