Domain Admin .vs Adminstrator Account

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Are there any diiferences between the accouts in the Domain Admin group and
the Administrator account as far as access & permissions?

Thanks
 
Domain Admins, which by default contains the Administrator Account, has a
lot of access to that Domain. Pretty much everything. But not entirely
everything.

The Administrator account, on the other hand, is a member of the Domain
Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
about a single domain / tree / forest ). As you can see, it is much more
powerful through the group membership.

Does that answer your question.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
However, the domain admins group is automatically added to the local
administrators group on all domain members (upon joining), which means that
the domain admins account has full administrative control over all domain
member machines. The administrator account on the other hand, isn't as
powerful in this way (just being an administrator of the domain doesn't mean
you can install software on domain members); the administrator account is
much more powerful, as Cary already stated, from a domain administrative
stand point. That is, full control over the root domain -full control over
all objects and the ability to take ownership of any object. The domain
admins group doesn't have as many rights in this way.

So, the two are quite different. The domain admins group is for
domain-member administration; the administrator account is for domain
administration -the logical and physical structure of the AD itself.

Hope this helps,

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Domain Admins, which by default contains the Administrator Account, has a
lot of access to that Domain. Pretty much everything. But not entirely
everything.

The Administrator account, on the other hand, is a member of the Domain
Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
about a single domain / tree / forest ). As you can see, it is much more
powerful through the group membership.

Does that answer your question.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
You guys are right so maybe the real key is in the
way they are (to be) used....

Domain Admins, a GLOBAL, group has no direct
permissions or rights by default, but derives its
privileges by being added to other (Local) groups
on the Domain or the individual Computers.

It is a "collection of users" (who should typically
have administrative access to something.)

Admistrators (a LOCAL group) on either the Domain
or Computer, receives the actual privileges (directly)
and by including others provides that access to
individual users.

Administrators is a collection of privileges (to various
resources.)

THE Administrator account is the initial or default
administrator of either a Domain or a Computer
(because someone needs that role.)
 
Thanks to all,
That answers my question.

Cary Shultz said:
Domain Admins, which by default contains the Administrator Account, has a
lot of access to that Domain. Pretty much everything. But not entirely
everything.

The Administrator account, on the other hand, is a member of the Domain
Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
about a single domain / tree / forest ). As you can see, it is much more
powerful through the group membership.

Does that answer your question.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
Click to expand...
 
Domain Admins, a GLOBAL, group has no direct
permissions or rights by default, but derives its
privileges by being added to other (Local) groups
on the Domain or the individual Computers.
Click to expand...

This was the case under NT4 but is no longer the case. Domain Admins is the
secprin used on the ACLs of many different objects in AD. This was a change in
2K compared to NT4 where domain admins derived its power from being in the
administrators group of the domain controllers.

Overall Domain Admins have more power in Active Directory directly than
administrators, HOWEVER, administrators have enough power to make themselves
domain admins or better any time they want to. To put it another way, anyone who
has administrators access can have any group membership they want to, they just
have to do a little work.

joe
 
This was the case under NT4 but is no longer the case. Domain Admins is
the
secprin used on the ACLs of many different objects in AD. This was a change in
2K compared to NT4 where domain admins derived its power from being in the
administrators group of the domain controllers.
Click to expand...

Thanks. I should have gone and looked to make
sure it was still the same.
 
Back
Top