What's the different between builtin local/administrators and Domain Admins in AD 2003?

What's the different between builtin local/administrators and Domain Admins in AD 2003?

I don't mean the local/administrators acount in the server but the one that we find in AD in Builin container.

Thanks.
LVL 1
SAM2009Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PACSAdminICT Operations ManagerCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyCommented:
That is the local admin to the server.
0
Praveen BalanSolution ArchitectCommented:
The member of Built in Administrators group can Members can fully administer the computer/domain, apart from this permissions on registry, user, files etc on assigned to this groups (both on dc's , member servers and workstations).

As you know Domain Admins is member of Built-in administrators group, so all the above permissions are assigned by default to domain admins as well..

The difference is, you can add domain admins into other groups, but not Administrators group. In simple, built-in groups can not be added to other groups...

Praveen
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

AeridenCommented:
Administrators is a group on the local SAM (security account database that resides on all Windows machines when not a domain controller - servers and workstations).  Domain Admins is a group that resides within the active directory that replicates across all domain controllers within a given domain (e.g. mydomain.local).  A builtin\Administrators group on one server is completely different than builtin\Administrators on another server.  Being a member on one server limits admin access to only that server.  Being a member of Domain Admins, however, have admin rights on all Domain Controllers.  In addition, a member server (non-domain controller) of a domain, when joining the domain, automatically has builtin\Administrators added to the Domain Admins group, thus allowing a user in Domain Admins to administer those member servers.  There is an advantage of using the active directory for centralized management of security, while the local security is linked to the active directory.  This makes managing servers much more straightforward.  Users that login to the domain, via transitive association (user belongs to a active directory group, the active directory groups are linked to local security groups...  therefore the user has local security access), which is very manageable, especially for a large number of servers.
0
SAM2009Author Commented:
Wait wait guys!:)

I'm talking about the builtin local/administrators in Active Directory not the one on server.
Local administrators group on the server I understand the role of that account but what I don't understand well is builtin local/administrators in Active Directory.

Is it the same?

Thanks.

0
Praveen BalanSolution ArchitectCommented:
I have explained the same in the previous comment (built-in administrators group and domain admins group on an AD(DC) server).

not the local admin of any member server.

-Praveen
0
SAM2009Author Commented:
Sorry Praveen, yes you have understood my question but I just want to specify for the others experts. Hi! Hi! Just to make sure I explained well what I mean.
0
SAM2009Author Commented:
Please I don't understand this part of explanation:

The member of Built in Administrators group can Members can fully administer the computer/domain, apart from this permissions on registry, user, files etc on assigned to this groups (both on dc's , member servers and workstations).
0
Praveen BalanSolution ArchitectCommented:
in simple, the member of the administrators  fully administer the computer/domain (includes the permission on registry, user, files of all DCs, member servers and work stations).

domain admins are part of the built in administrators group and can also add to other groups for delegating more permissions, where as the built in administrators group can not be added to other groups.

full details, follow this article from technet - http://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx
0
SAM2009Author Commented:
Basically your explanations are correct guys but I have to add this part to complete:

Builtin Local Administrators group in Active Directory is the same as local administrators group in server except it's for Domain Controllers. Because all domain controllers use the same security database.

Members of those will not be allowed to administer a member server or workstation within the domain, just the domain controllers.  
0
SAM2009Author Commented:
Thanks everybody!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.