Domain Admin .vs Adminstrator Account

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Are there any diiferences between the accouts in the Domain Admin group and
the Administrator account as far as access & permissions?

Thanks
6 answers Last reply
More about domain admin adminstrator account
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Domain Admins, which by default contains the Administrator Account, has a
    lot of access to that Domain. Pretty much everything. But not entirely
    everything.

    The Administrator account, on the other hand, is a member of the Domain
    Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
    about a single domain / tree / forest ). As you can see, it is much more
    powerful through the group membership.

    Does that answer your question.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "John" <John@discussions.microsoft.com> wrote in message
    news:2A0A3B76-C614-43BB-BAD3-79DA274B5DD9@microsoft.com...
    > Are there any diiferences between the accouts in the Domain Admin group
    > and
    > the Administrator account as far as access & permissions?
    >
    > Thanks
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks to all,
    That answers my question.

    "Cary Shultz [A.D. MVP]" wrote:

    > Domain Admins, which by default contains the Administrator Account, has a
    > lot of access to that Domain. Pretty much everything. But not entirely
    > everything.
    >
    > The Administrator account, on the other hand, is a member of the Domain
    > Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
    > about a single domain / tree / forest ). As you can see, it is much more
    > powerful through the group membership.
    >
    > Does that answer your question.
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "John" <John@discussions.microsoft.com> wrote in message
    > news:2A0A3B76-C614-43BB-BAD3-79DA274B5DD9@microsoft.com...
    > > Are there any diiferences between the accouts in the Domain Admin group
    > > and
    > > the Administrator account as far as access & permissions?
    > >
    > > Thanks
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    However, the domain admins group is automatically added to the local
    administrators group on all domain members (upon joining), which means that
    the domain admins account has full administrative control over all domain
    member machines. The administrator account on the other hand, isn't as
    powerful in this way (just being an administrator of the domain doesn't mean
    you can install software on domain members); the administrator account is
    much more powerful, as Cary already stated, from a domain administrative
    stand point. That is, full control over the root domain -full control over
    all objects and the ability to take ownership of any object. The domain
    admins group doesn't have as many rights in this way.

    So, the two are quite different. The domain admins group is for
    domain-member administration; the administrator account is for domain
    administration -the logical and physical structure of the AD itself.

    Hope this helps,

    --

    Paul Williams

    http://www.msresource.net
    http://forums.msresource.net


    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:O0AVDgYAFHA.3336@TK2MSFTNGP11.phx.gbl...
    Domain Admins, which by default contains the Administrator Account, has a
    lot of access to that Domain. Pretty much everything. But not entirely
    everything.

    The Administrator account, on the other hand, is a member of the Domain
    Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
    about a single domain / tree / forest ). As you can see, it is much more
    powerful through the group membership.

    Does that answer your question.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "John" <John@discussions.microsoft.com> wrote in message
    news:2A0A3B76-C614-43BB-BAD3-79DA274B5DD9@microsoft.com...
    > Are there any diiferences between the accouts in the Domain Admin group
    > and
    > the Administrator account as far as access & permissions?
    >
    > Thanks
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You guys are right so maybe the real key is in the
    way they are (to be) used....

    Domain Admins, a GLOBAL, group has no direct
    permissions or rights by default, but derives its
    privileges by being added to other (Local) groups
    on the Domain or the individual Computers.

    It is a "collection of users" (who should typically
    have administrative access to something.)

    Admistrators (a LOCAL group) on either the Domain
    or Computer, receives the actual privileges (directly)
    and by including others provides that access to
    individual users.

    Administrators is a collection of privileges (to various
    resources.)

    THE Administrator account is the initial or default
    administrator of either a Domain or a Computer
    (because someone needs that role.)


    --
    Herb Martin


    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:uOPdBqYAFHA.600@TK2MSFTNGP09.phx.gbl...
    > However, the domain admins group is automatically added to the local
    > administrators group on all domain members (upon joining), which means
    that
    > the domain admins account has full administrative control over all domain
    > member machines. The administrator account on the other hand, isn't as
    > powerful in this way (just being an administrator of the domain doesn't
    mean
    > you can install software on domain members); the administrator account is
    > much more powerful, as Cary already stated, from a domain administrative
    > stand point. That is, full control over the root domain -full control
    over
    > all objects and the ability to take ownership of any object. The domain
    > admins group doesn't have as many rights in this way.
    >
    > So, the two are quite different. The domain admins group is for
    > domain-member administration; the administrator account is for domain
    > administration -the logical and physical structure of the AD itself.
    >
    > Hope this helps,
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net
    > http://forums.msresource.net
    >
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:O0AVDgYAFHA.3336@TK2MSFTNGP11.phx.gbl...
    > Domain Admins, which by default contains the Administrator Account, has a
    > lot of access to that Domain. Pretty much everything. But not entirely
    > everything.
    >
    > The Administrator account, on the other hand, is a member of the Domain
    > Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
    > about a single domain / tree / forest ). As you can see, it is much more
    > powerful through the group membership.
    >
    > Does that answer your question.
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "John" <John@discussions.microsoft.com> wrote in message
    > news:2A0A3B76-C614-43BB-BAD3-79DA274B5DD9@microsoft.com...
    > > Are there any diiferences between the accouts in the Domain Admin group
    > > and
    > > the Administrator account as far as access & permissions?
    > >
    > > Thanks
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Domain Admins, a GLOBAL, group has no direct
    > permissions or rights by default, but derives its
    > privileges by being added to other (Local) groups
    > on the Domain or the individual Computers.

    This was the case under NT4 but is no longer the case. Domain Admins is the
    secprin used on the ACLs of many different objects in AD. This was a change in
    2K compared to NT4 where domain admins derived its power from being in the
    administrators group of the domain controllers.

    Overall Domain Admins have more power in Active Directory directly than
    administrators, HOWEVER, administrators have enough power to make themselves
    domain admins or better any time they want to. To put it another way, anyone who
    has administrators access can have any group membership they want to, they just
    have to do a little work.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Herb Martin wrote:
    > You guys are right so maybe the real key is in the
    > way they are (to be) used....
    >
    > Domain Admins, a GLOBAL, group has no direct
    > permissions or rights by default, but derives its
    > privileges by being added to other (Local) groups
    > on the Domain or the individual Computers.
    >
    > It is a "collection of users" (who should typically
    > have administrative access to something.)
    >
    > Admistrators (a LOCAL group) on either the Domain
    > or Computer, receives the actual privileges (directly)
    > and by including others provides that access to
    > individual users.
    >
    > Administrators is a collection of privileges (to various
    > resources.)
    >
    > THE Administrator account is the initial or default
    > administrator of either a Domain or a Computer
    > (because someone needs that role.)
    >
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > This was the case under NT4 but is no longer the case. Domain Admins is
    the
    > secprin used on the ACLs of many different objects in AD. This was a
    change in
    > 2K compared to NT4 where domain admins derived its power from being in the
    > administrators group of the domain controllers.
    >

    Thanks. I should have gone and looked to make
    sure it was still the same.


    "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    news:#q0mwIbAFHA.2180@TK2MSFTNGP10.phx.gbl...
    > > Domain Admins, a GLOBAL, group has no direct
    > > permissions or rights by default, but derives its
    > > privileges by being added to other (Local) groups
    > > on the Domain or the individual Computers.
    >
    > This was the case under NT4 but is no longer the case. Domain Admins is
    the
    > secprin used on the ACLs of many different objects in AD. This was a
    change in
    > 2K compared to NT4 where domain admins derived its power from being in the
    > administrators group of the domain controllers.
    >
    > Overall Domain Admins have more power in Active Directory directly than
    > administrators, HOWEVER, administrators have enough power to make
    themselves
    > domain admins or better any time they want to. To put it another way,
    anyone who
    > has administrators access can have any group membership they want to, they
    just
    > have to do a little work.
    >
    > joe
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    > Herb Martin wrote:
    > > You guys are right so maybe the real key is in the
    > > way they are (to be) used....
    > >
    > > Domain Admins, a GLOBAL, group has no direct
    > > permissions or rights by default, but derives its
    > > privileges by being added to other (Local) groups
    > > on the Domain or the individual Computers.
    > >
    > > It is a "collection of users" (who should typically
    > > have administrative access to something.)
    > >
    > > Admistrators (a LOCAL group) on either the Domain
    > > or Computer, receives the actual privileges (directly)
    > > and by including others provides that access to
    > > individual users.
    > >
    > > Administrators is a collection of privileges (to various
    > > resources.)
    > >
    > > THE Administrator account is the initial or default
    > > administrator of either a Domain or a Computer
    > > (because someone needs that role.)
    > >
    > >
Ask a new question

Read More

Domain Microsoft Active Directory Windows