Archived from groups: microsoft.public.win2000.active_directory (
More info?)
You guys are right so maybe the real key is in the
way they are (to be) used....
Domain Admins, a GLOBAL, group has no direct
permissions or rights by default, but derives its
privileges by being added to other (Local) groups
on the Domain or the individual Computers.
It is a "collection of users" (who should typically
have administrative access to something.)
Admistrators (a LOCAL group) on either the Domain
or Computer, receives the actual privileges (directly)
and by including others provides that access to
individual users.
Administrators is a collection of privileges (to various
resources.)
THE Administrator account is the initial or default
administrator of either a Domain or a Computer
(because someone needs that role.)
--
Herb Martin
"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:uOPdBqYAFHA.600@TK2MSFTNGP09.phx.gbl...
> However, the domain admins group is automatically added to the local
> administrators group on all domain members (upon joining), which means
that
> the domain admins account has full administrative control over all domain
> member machines. The administrator account on the other hand, isn't as
> powerful in this way (just being an administrator of the domain doesn't
mean
> you can install software on domain members); the administrator account is
> much more powerful, as Cary already stated, from a domain administrative
> stand point. That is, full control over the root domain -full control
over
> all objects and the ability to take ownership of any object. The domain
> admins group doesn't have as many rights in this way.
>
> So, the two are quite different. The domain admins group is for
> domain-member administration; the administrator account is for domain
> administration -the logical and physical structure of the AD itself.
>
> Hope this helps,
>
> --
>
> Paul Williams
>
>
http://www.msresource.net
>
http://forums.msresource.net
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:O0AVDgYAFHA.3336@TK2MSFTNGP11.phx.gbl...
> Domain Admins, which by default contains the Administrator Account, has a
> lot of access to that Domain. Pretty much everything. But not entirely
> everything.
>
> The Administrator account, on the other hand, is a member of the Domain
> Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
> about a single domain / tree / forest ). As you can see, it is much more
> powerful through the group membership.
>
> Does that answer your question.
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
>
http://www.activedirectory-win2000.com
>
http://www.grouppolicy-win2000.com
>
>
>
> "John" <John@discussions.microsoft.com> wrote in message
> news:2A0A3B76-C614-43BB-BAD3-79DA274B5DD9@microsoft.com...
> > Are there any diiferences between the accouts in the Domain Admin group
> > and
> > the Administrator account as far as access & permissions?
> >
> > Thanks
>
>
>