Sign in with
Sign up | Sign in
Your question

Domain Admin .vs Adminstrator Account

Last response: in Windows 2000/NT
Share
January 23, 2005 3:05:05 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Are there any diiferences between the accouts in the Domain Admin group and
the Administrator account as far as access & permissions?

Thanks
Anonymous
January 23, 2005 6:13:30 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Domain Admins, which by default contains the Administrator Account, has a
lot of access to that Domain. Pretty much everything. But not entirely
everything.

The Administrator account, on the other hand, is a member of the Domain
Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
about a single domain / tree / forest ). As you can see, it is much more
powerful through the group membership.

Does that answer your question.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"John" <John@discussions.microsoft.com> wrote in message
news:2A0A3B76-C614-43BB-BAD3-79DA274B5DD9@microsoft.com...
> Are there any diiferences between the accouts in the Domain Admin group
> and
> the Administrator account as far as access & permissions?
>
> Thanks
January 23, 2005 8:07:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks to all,
That answers my question.

"Cary Shultz [A.D. MVP]" wrote:

> Domain Admins, which by default contains the Administrator Account, has a
> lot of access to that Domain. Pretty much everything. But not entirely
> everything.
>
> The Administrator account, on the other hand, is a member of the Domain
> Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
> about a single domain / tree / forest ). As you can see, it is much more
> powerful through the group membership.
>
> Does that answer your question.
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "John" <John@discussions.microsoft.com> wrote in message
> news:2A0A3B76-C614-43BB-BAD3-79DA274B5DD9@microsoft.com...
> > Are there any diiferences between the accouts in the Domain Admin group
> > and
> > the Administrator account as far as access & permissions?
> >
> > Thanks
>
>
>
Related resources
Anonymous
January 23, 2005 11:31:21 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

However, the domain admins group is automatically added to the local
administrators group on all domain members (upon joining), which means that
the domain admins account has full administrative control over all domain
member machines. The administrator account on the other hand, isn't as
powerful in this way (just being an administrator of the domain doesn't mean
you can install software on domain members); the administrator account is
much more powerful, as Cary already stated, from a domain administrative
stand point. That is, full control over the root domain -full control over
all objects and the ability to take ownership of any object. The domain
admins group doesn't have as many rights in this way.

So, the two are quite different. The domain admins group is for
domain-member administration; the administrator account is for domain
administration -the logical and physical structure of the AD itself.

Hope this helps,

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:o 0AVDgYAFHA.3336@TK2MSFTNGP11.phx.gbl...
Domain Admins, which by default contains the Administrator Account, has a
lot of access to that Domain. Pretty much everything. But not entirely
everything.

The Administrator account, on the other hand, is a member of the Domain
Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
about a single domain / tree / forest ). As you can see, it is much more
powerful through the group membership.

Does that answer your question.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"John" <John@discussions.microsoft.com> wrote in message
news:2A0A3B76-C614-43BB-BAD3-79DA274B5DD9@microsoft.com...
> Are there any diiferences between the accouts in the Domain Admin group
> and
> the Administrator account as far as access & permissions?
>
> Thanks
Anonymous
January 23, 2005 11:31:22 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You guys are right so maybe the real key is in the
way they are (to be) used....

Domain Admins, a GLOBAL, group has no direct
permissions or rights by default, but derives its
privileges by being added to other (Local) groups
on the Domain or the individual Computers.

It is a "collection of users" (who should typically
have administrative access to something.)

Admistrators (a LOCAL group) on either the Domain
or Computer, receives the actual privileges (directly)
and by including others provides that access to
individual users.

Administrators is a collection of privileges (to various
resources.)

THE Administrator account is the initial or default
administrator of either a Domain or a Computer
(because someone needs that role.)


--
Herb Martin


"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:uOPdBqYAFHA.600@TK2MSFTNGP09.phx.gbl...
> However, the domain admins group is automatically added to the local
> administrators group on all domain members (upon joining), which means
that
> the domain admins account has full administrative control over all domain
> member machines. The administrator account on the other hand, isn't as
> powerful in this way (just being an administrator of the domain doesn't
mean
> you can install software on domain members); the administrator account is
> much more powerful, as Cary already stated, from a domain administrative
> stand point. That is, full control over the root domain -full control
over
> all objects and the ability to take ownership of any object. The domain
> admins group doesn't have as many rights in this way.
>
> So, the two are quite different. The domain admins group is for
> domain-member administration; the administrator account is for domain
> administration -the logical and physical structure of the AD itself.
>
> Hope this helps,
>
> --
>
> Paul Williams
>
> http://www.msresource.net
> http://forums.msresource.net
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:o 0AVDgYAFHA.3336@TK2MSFTNGP11.phx.gbl...
> Domain Admins, which by default contains the Administrator Account, has a
> lot of access to that Domain. Pretty much everything. But not entirely
> everything.
>
> The Administrator account, on the other hand, is a member of the Domain
> Admins, Enterprise Admins and Schema Admins ( assuming that we are talking
> about a single domain / tree / forest ). As you can see, it is much more
> powerful through the group membership.
>
> Does that answer your question.
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "John" <John@discussions.microsoft.com> wrote in message
> news:2A0A3B76-C614-43BB-BAD3-79DA274B5DD9@microsoft.com...
> > Are there any diiferences between the accouts in the Domain Admin group
> > and
> > the Administrator account as far as access & permissions?
> >
> > Thanks
>
>
>
Anonymous
January 23, 2005 11:31:23 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> Domain Admins, a GLOBAL, group has no direct
> permissions or rights by default, but derives its
> privileges by being added to other (Local) groups
> on the Domain or the individual Computers.

This was the case under NT4 but is no longer the case. Domain Admins is the
secprin used on the ACLs of many different objects in AD. This was a change in
2K compared to NT4 where domain admins derived its power from being in the
administrators group of the domain controllers.

Overall Domain Admins have more power in Active Directory directly than
administrators, HOWEVER, administrators have enough power to make themselves
domain admins or better any time they want to. To put it another way, anyone who
has administrators access can have any group membership they want to, they just
have to do a little work.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Herb Martin wrote:
> You guys are right so maybe the real key is in the
> way they are (to be) used....
>
> Domain Admins, a GLOBAL, group has no direct
> permissions or rights by default, but derives its
> privileges by being added to other (Local) groups
> on the Domain or the individual Computers.
>
> It is a "collection of users" (who should typically
> have administrative access to something.)
>
> Admistrators (a LOCAL group) on either the Domain
> or Computer, receives the actual privileges (directly)
> and by including others provides that access to
> individual users.
>
> Administrators is a collection of privileges (to various
> resources.)
>
> THE Administrator account is the initial or default
> administrator of either a Domain or a Computer
> (because someone needs that role.)
>
>
Anonymous
January 24, 2005 12:17:16 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> This was the case under NT4 but is no longer the case. Domain Admins is
the
> secprin used on the ACLs of many different objects in AD. This was a
change in
> 2K compared to NT4 where domain admins derived its power from being in the
> administrators group of the domain controllers.
>

Thanks. I should have gone and looked to make
sure it was still the same.


"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:#q0mwIbAFHA.2180@TK2MSFTNGP10.phx.gbl...
> > Domain Admins, a GLOBAL, group has no direct
> > permissions or rights by default, but derives its
> > privileges by being added to other (Local) groups
> > on the Domain or the individual Computers.
>
> This was the case under NT4 but is no longer the case. Domain Admins is
the
> secprin used on the ACLs of many different objects in AD. This was a
change in
> 2K compared to NT4 where domain admins derived its power from being in the
> administrators group of the domain controllers.
>
> Overall Domain Admins have more power in Active Directory directly than
> administrators, HOWEVER, administrators have enough power to make
themselves
> domain admins or better any time they want to. To put it another way,
anyone who
> has administrators access can have any group membership they want to, they
just
> have to do a little work.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Herb Martin wrote:
> > You guys are right so maybe the real key is in the
> > way they are (to be) used....
> >
> > Domain Admins, a GLOBAL, group has no direct
> > permissions or rights by default, but derives its
> > privileges by being added to other (Local) groups
> > on the Domain or the individual Computers.
> >
> > It is a "collection of users" (who should typically
> > have administrative access to something.)
> >
> > Admistrators (a LOCAL group) on either the Domain
> > or Computer, receives the actual privileges (directly)
> > and by including others provides that access to
> > individual users.
> >
> > Administrators is a collection of privileges (to various
> > resources.)
> >
> > THE Administrator account is the initial or default
> > administrator of either a Domain or a Computer
> > (because someone needs that role.)
> >
> >
!