Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2942
  • Last Modified:

difference between built-in administrator account and admin equivalent accounts

What if any differences are there between the built-in administrator account in Windows e.g. Windows 2008 and an admin equivalent account? For instance let's say I put a user - admin2 - in the Domain Admins group - what differences would there be between the two accounts?
0
lineonecorp
Asked:
lineonecorp
  • 6
  • 4
  • 2
  • +1
7 Solutions
 
AustinComputerLabsCommented:
the built in administrator is a member of roughly 9 administrative groups.
0
 
ArmenioCommented:
the above is true  but in theory  as long as your a member of th administrators group you have the same access as administrator so domain admin has the same access as  the administrator  because he is also a member of administrators security group
0
 
ArmenioCommented:
their are some subtle differences but they will only come into play when you start doing things like migrating the domain and stuff but for most of your admin tasks they as essentially the same
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
AustinComputerLabsCommented:
The domain admin will have administrators access on every PC on the domain.
0
 
temoresCommented:
Administrative accounts in an Active Directory domain include:
The Administrator account, which is created when Active Directory is installed on the first domain controller in the domain. This is the most powerful account in the domain. The person who installs Active Directory on the computer creates the password for this account during installation.
 
Any accounts that you later create and either place in a group that has administrative privileges or directly assign administrative privileges.
 
Administrative groups in an Active Directory domain vary depending on the services that you have installed in your domain. Those used specifically for administering Active Directory include:
 
Administrative groups that are automatically created in the Builtin container.

Administrative groups that are automatically created in the Users container.

Any groups that you later create and either place in another group that has administrative privileges or directly assign administrative privileges.



Administrators
This group has complete control over all domain controllers and all directory content stored in the domain, and it can change the membership of all administrative groups in the domain. It is the most powerful service administrative group.
 
Domain Admins
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
 
0
 
AustinComputerLabsCommented:
@temores An excellent description, you should site your source when using content from others.

The above description was from:
http://technet.microsoft.com/en-us/library/cc700835.aspx

I had my hand slapped by an EE admin when I forgot to site my source.
0
 
lineonecorpAuthor Commented:
Some very good reading here but ....
It seems to me that they are suggesting that we do all kinds of things not to use the built-in admin account - hide, rename, etc. - and use an account that has been put in the Domain Admin's group to do all Admin work. Well if there are some things that this 'Domain Admin equivalent' can't do that the admin can do it would be good to know what they are. So is that the case - an account that is made part of Domain Admins still can't do everything that the default Administrator for the domain created at installation time can do? If so, I would like to know what those 'subtle differences (per armeniospinola) are.
0
 
AustinComputerLabsCommented:
If you are securing your server one of the easiest things you can do is rename, disable or otherwise hide the default administrator account. Part of the reason is that if someone is attempting to access the server and they already know the username of an account with full access they have a significant advantage.
If you create a user that is in all the same groups as the administrator account, it will have all the rights that depend on group membership as the administrator's account.
0
 
lineonecorpAuthor Commented:
"If you create a user that is in all the same groups as the administrator account, it will have all the rights that depend on group membership as the administrator's account."

Putting the admin equivalent user in the Domain Admins account isn't good enough, I take it? I need to put the user explictly into other security groups? These are per your earlier comment:
"the built in administrator is a member of roughly 9 administrative groups."

Is this list enumerated comprehensively somewhere? Are the 8 I see in the article you linked to some of those 9:

Enterprise Admins
Schema Admins
Administrators
Domain Admins
Server Operators
Account Operators
Backup Operators
DS Restore Mode Administrator

Do you know of any additional groups that the default administrator account would be a member of?

In summary assuming the above are 8 of the roughly 9 you mention, is it the case that I need to add the admin equivalent explicitly to each group e.g. they don't automatically get membership/similar rights  just because they are domain admins e.g. they couldn't do a DS Restore after I place them in the Domain Admins group?
0
 
AustinComputerLabsCommented:
that is the default ones.
Some of them will be seldom if ever needed, but that is a user with the same rights (by group membership) as the built in administrator.
0
 
lineonecorpAuthor Commented:
Thanks. Just curious where you got the '9' from?
0
 
AustinComputerLabsCommented:
From one of my servers. After I posted it I realized one was a security group that I added, so 8 is correct to start with.
0
 
lineonecorpAuthor Commented:
Great. Thanks.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 6
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now