limits of a local admin

can you help me find the technet document that lists the limitations of a local admin vs domain admin
Who is Participating?
cantorisConnect With a Mentor Commented:
Just to expand on the above,
A local administrator has administrative access to JUST that one local machine.  That admin account is created locally on that machine and lives within its Security Accounts Manager database.  It is recognised only on that machine.  It can only appear to work on other machines if those machines have the exact same username and password created on them.

A domain administrator has administrative access to ALL the machines in the domain.  That account lives within Active Directory and is part of the domain admins group.  The domain admins group is automatically made a member of the local administrators group on all machines joined to the domain.  So a domain admin had administrative rights to all machines.

To go from being a local admin to a full domain admin is a massive jump UP, so a local admin cannot promote an account to domain admin for security reasons.
A local admin CAN add a domain account to the LOCAL administrators group of the SAME machine that the admin account lives on.  That admin is only granting administrative access to something he already has full control over.
25112Author Commented:
mainly need to validate this
"A Local admin cannot make a domain account an admin, only Domain admins can do that"
with a msdn link.

helpfinderConnect With a Mentor IT ConsultantCommented:
local admin is admin for a single computer
domai admin is admin for entire domain (for all computers joined into domain)

here you have an article about domain and local admins:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.