Solved

difference between built-in administrator account and admin equivalent accounts

Posted on 2011-03-17
13
2,288 Views
Last Modified: 2012-05-11
What if any differences are there between the built-in administrator account in Windows e.g. Windows 2008 and an admin equivalent account? For instance let's say I put a user - admin2 - in the Domain Admins group - what differences would there be between the two accounts?
0
Comment
Question by:lineonecorp
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 13

Accepted Solution

by:
AustinComputerLabs earned 214 total points
ID: 35162283
the built in administrator is a member of roughly 9 administrative groups.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 35162308
the above is true  but in theory  as long as your a member of th administrators group you have the same access as administrator so domain admin has the same access as  the administrator  because he is also a member of administrators security group
0
 
LVL 5

Assisted Solution

by:Armenio
Armenio earned 43 total points
ID: 35162315
their are some subtle differences but they will only come into play when you start doing things like migrating the domain and stuff but for most of your admin tasks they as essentially the same
0
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 214 total points
ID: 35162355
The domain admin will have administrators access on every PC on the domain.
0
 
LVL 2

Assisted Solution

by:temores
temores earned 43 total points
ID: 35162496
Administrative accounts in an Active Directory domain include:
The Administrator account, which is created when Active Directory is installed on the first domain controller in the domain. This is the most powerful account in the domain. The person who installs Active Directory on the computer creates the password for this account during installation.
 
Any accounts that you later create and either place in a group that has administrative privileges or directly assign administrative privileges.
 
Administrative groups in an Active Directory domain vary depending on the services that you have installed in your domain. Those used specifically for administering Active Directory include:
 
Administrative groups that are automatically created in the Builtin container.

Administrative groups that are automatically created in the Users container.

Any groups that you later create and either place in another group that has administrative privileges or directly assign administrative privileges.



Administrators
This group has complete control over all domain controllers and all directory content stored in the domain, and it can change the membership of all administrative groups in the domain. It is the most powerful service administrative group.
 
Domain Admins
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
 
0
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 214 total points
ID: 35162651
@temores An excellent description, you should site your source when using content from others.

The above description was from:
http://technet.microsoft.com/en-us/library/cc700835.aspx

I had my hand slapped by an EE admin when I forgot to site my source.
0
 

Author Comment

by:lineonecorp
ID: 35163419
Some very good reading here but ....
It seems to me that they are suggesting that we do all kinds of things not to use the built-in admin account - hide, rename, etc. - and use an account that has been put in the Domain Admin's group to do all Admin work. Well if there are some things that this 'Domain Admin equivalent' can't do that the admin can do it would be good to know what they are. So is that the case - an account that is made part of Domain Admins still can't do everything that the default Administrator for the domain created at installation time can do? If so, I would like to know what those 'subtle differences (per armeniospinola) are.
0
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 214 total points
ID: 35166111
If you are securing your server one of the easiest things you can do is rename, disable or otherwise hide the default administrator account. Part of the reason is that if someone is attempting to access the server and they already know the username of an account with full access they have a significant advantage.
If you create a user that is in all the same groups as the administrator account, it will have all the rights that depend on group membership as the administrator's account.
0
 

Author Comment

by:lineonecorp
ID: 35167991
"If you create a user that is in all the same groups as the administrator account, it will have all the rights that depend on group membership as the administrator's account."

Putting the admin equivalent user in the Domain Admins account isn't good enough, I take it? I need to put the user explictly into other security groups? These are per your earlier comment:
"the built in administrator is a member of roughly 9 administrative groups."

Is this list enumerated comprehensively somewhere? Are the 8 I see in the article you linked to some of those 9:

Enterprise Admins
Schema Admins
Administrators
Domain Admins
Server Operators
Account Operators
Backup Operators
DS Restore Mode Administrator

Do you know of any additional groups that the default administrator account would be a member of?

In summary assuming the above are 8 of the roughly 9 you mention, is it the case that I need to add the admin equivalent explicitly to each group e.g. they don't automatically get membership/similar rights  just because they are domain admins e.g. they couldn't do a DS Restore after I place them in the Domain Admins group?
0
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 214 total points
ID: 35168992
that is the default ones.
Some of them will be seldom if ever needed, but that is a user with the same rights (by group membership) as the built in administrator.
0
 

Author Comment

by:lineonecorp
ID: 35170364
Thanks. Just curious where you got the '9' from?
0
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35170463
From one of my servers. After I posted it I realized one was a security group that I added, so 8 is correct to start with.
0
 

Author Comment

by:lineonecorp
ID: 35187708
Great. Thanks.
0

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now