Why is the difference between the "administrators" group at the domain, and at the entire directory

I am searching teh active directory (Find Users, contacts, and groups). I have two "administrators" group. One at the level of the domain (I only have one domain) and another at the level of the "Entire Directory". Each of these groups has a different set of users.
The DCs are all running windows servers 2008 R2.
Mo HawkAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Have a look at this http://techgenix.com/Built-in-Groups-Delegation/
You should only really be using built in administrator group and domain admins here, the other groups are perhaps custom?
Shreedhar EtteCommented:
Hi Mo Hawk,

There should be only one administrators group. That too a Built in Group.

Please share screen shot to better understand your query.
Tom CieslikIT EngineerCommented:
When you searching your domain.xxx you see groups in your DC, but Entire Directory is showing groups in entire Forest
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Normal Windows computers (standalone or domain joined member client/servers)  have a local security database called a SAM database (Security Accounts Manager). This database stores accounts and credentials local to the device. The local administrator account, any locally created accounts or groups, etc. When a server becomes a domain controller the local SAM database is suspended and the local database for a domain controller becomes the Active Directory database. Now you need to look at your AD database. The scenario you are describing is the child and parent domains within a forest. So:


At the forest level all of the domains are contained within the forest, but within each domain they are separate directory instances.

root.domain has its own domain database.
child.root.domain has its own domain database.

Domains are administrative boundaries. So with that in mind, you would not want people who are members of child\administrators automatically being members of root\administrators. In some organisations 1 team would manage the forest and root domain (look after the schema, etc.), while the individual child domains are delegated out to their own relevant domain administrators. So it is logical that there will be multiple Administrators groups throughout the forest, 1 for each domain. This will apply for ALL built-in groups.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kevin StanushApplication DeveloperCommented:
If you only have one domain, then you will only have one Administrators group, at least at the domain level.  Each non-domain controller (server, computer) will have its own administrators group.  On the dropdown for ''In:", you should only be seeing your domain, and 'Entire Directory'.  Look at the DN path of each of these 'administrators' groups when you look at it from the domain vs. 'Entire Directory'.  They should be the same.  I'm unclear why you indicate that the membership is different.
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
If your worried about your AD health

Active Directory BPA from Microsoft
Mo HawkAuthor Commented:
Thanks for the comments. I still am not able to grasp:
1- If I have one domain, wouldn't the "administrators" group at the level of the "entire Directory" be the exact same group with the exact same members as the group I see when I search on the domain level?  But this is not the case with me, since I got members that exist in the first and not the second and vice versa.  
2- What is the difference between a member of the "administrators" group at the level of the Entire Directory and another at the level of the domain ?
Mo HawkAuthor Commented:
In my second comment above, i was referring to the difference in access between the two groups.
Mo HawkAuthor Commented:
Update: I think I figured it out. Although I have one domain that has the users and groups; that domain is a child of another domain that barely has a couple of users and groups. i.e. I have Entire Directory then under that mydomain, and then under that I have child.mydomain. So it seems the entire directory search is giving the result for MYDOMAIN as well as child.mydomain
Kevin StanushApplication DeveloperCommented:
OK, well that would explain it, but you originally said that you only had one domain, which is why I think everyone was confused.
Mo HawkAuthor Commented:
Ya sorry about that, I myself missed the parent domain (a few years back there were two child domains, hence the single parent and single child).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.