Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

limits of a local admin

Posted on 2014-02-20
3
Medium Priority
?
386 Views
Last Modified: 2014-03-05
can you help me find the technet document that lists the limitations of a local admin vs domain admin
0
Comment
Question by:25112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 5

Author Comment

by:25112
ID: 39874501
mainly need to validate this
"A Local admin cannot make a domain account an admin, only Domain admins can do that"
with a msdn link.

thanks.
0
 
LVL 19

Assisted Solution

by:helpfinder
helpfinder earned 1000 total points
ID: 39874518
local admin is admin for a single computer
domai admin is admin for entire domain (for all computers joined into domain)

here you have an article about domain and local admins:
http://technet.microsoft.com/en-us/library/bb726982.aspx
0
 
LVL 16

Accepted Solution

by:
cantoris earned 1000 total points
ID: 39875383
Just to expand on the above,
A local administrator has administrative access to JUST that one local machine.  That admin account is created locally on that machine and lives within its Security Accounts Manager database.  It is recognised only on that machine.  It can only appear to work on other machines if those machines have the exact same username and password created on them.

A domain administrator has administrative access to ALL the machines in the domain.  That account lives within Active Directory and is part of the domain admins group.  The domain admins group is automatically made a member of the local administrators group on all machines joined to the domain.  So a domain admin had administrative rights to all machines.

To go from being a local admin to a full domain admin is a massive jump UP, so a local admin cannot promote an account to domain admin for security reasons.
A local admin CAN add a domain account to the LOCAL administrators group of the SAME machine that the admin account lives on.  That admin is only granting administrative access to something he already has full control over.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring Remote Assistance for use with SCCM
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question