Line One
asked on
difference between built-in administrator account and admin equivalent accounts
What if any differences are there between the built-in administrator account in Windows e.g. Windows 2008 and an admin equivalent account? For instance let's say I put a user - admin2 - in the Domain Admins group - what differences would there be between the two accounts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Armenio
the above is true but in theory as long as your a member of th administrators group you have the same access as administrator so domain admin has the same access as the administrator because he is also a member of administrators security group
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Some very good reading here but ....
It seems to me that they are suggesting that we do all kinds of things not to use the built-in admin account - hide, rename, etc. - and use an account that has been put in the Domain Admin's group to do all Admin work. Well if there are some things that this 'Domain Admin equivalent' can't do that the admin can do it would be good to know what they are. So is that the case - an account that is made part of Domain Admins still can't do everything that the default Administrator for the domain created at installation time can do? If so, I would like to know what those 'subtle differences (per armeniospinola) are.
It seems to me that they are suggesting that we do all kinds of things not to use the built-in admin account - hide, rename, etc. - and use an account that has been put in the Domain Admin's group to do all Admin work. Well if there are some things that this 'Domain Admin equivalent' can't do that the admin can do it would be good to know what they are. So is that the case - an account that is made part of Domain Admins still can't do everything that the default Administrator for the domain created at installation time can do? If so, I would like to know what those 'subtle differences (per armeniospinola) are.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"If you create a user that is in all the same groups as the administrator account, it will have all the rights that depend on group membership as the administrator's account."
Putting the admin equivalent user in the Domain Admins account isn't good enough, I take it? I need to put the user explictly into other security groups? These are per your earlier comment:
"the built in administrator is a member of roughly 9 administrative groups."
Is this list enumerated comprehensively somewhere? Are the 8 I see in the article you linked to some of those 9:
Enterprise Admins
Schema Admins
Administrators
Domain Admins
Server Operators
Account Operators
Backup Operators
DS Restore Mode Administrator
Do you know of any additional groups that the default administrator account would be a member of?
In summary assuming the above are 8 of the roughly 9 you mention, is it the case that I need to add the admin equivalent explicitly to each group e.g. they don't automatically get membership/similar rights just because they are domain admins e.g. they couldn't do a DS Restore after I place them in the Domain Admins group?
Putting the admin equivalent user in the Domain Admins account isn't good enough, I take it? I need to put the user explictly into other security groups? These are per your earlier comment:
"the built in administrator is a member of roughly 9 administrative groups."
Is this list enumerated comprehensively somewhere? Are the 8 I see in the article you linked to some of those 9:
Enterprise Admins
Schema Admins
Administrators
Domain Admins
Server Operators
Account Operators
Backup Operators
DS Restore Mode Administrator
Do you know of any additional groups that the default administrator account would be a member of?
In summary assuming the above are 8 of the roughly 9 you mention, is it the case that I need to add the admin equivalent explicitly to each group e.g. they don't automatically get membership/similar rights just because they are domain admins e.g. they couldn't do a DS Restore after I place them in the Domain Admins group?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Just curious where you got the '9' from?
From one of my servers. After I posted it I realized one was a security group that I added, so 8 is correct to start with.
ASKER
Great. Thanks.