Re: difference in groups

From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
Date: Thu, 9 Mar 2006 08:12:26 -0000

Administrators is a built-in group. This can be thought of as a local
group, except that local, when considered on DCs, covers all DCs. It's not
a local group, but from an abstract level they function the same.

Domain Admins is a global group that is automatically added to the
administrators group of every domain member. So, Domain Admins is a member
of administrators on a DC (which means it has full control over the domain
NC) and on workstations and member servers.

Re. delegation info.

The best practices whitepaper and the appendixes are the best places to
start. I know there's a lot to read, but you can skim it and then write
your proposal on this.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

.

References:
- difference in groups
  - From: Brandon

Prev by Date: Re: Replacing Domain Controller
Next by Date: Re: Policy - Restrict printing files from Share drive
Previous by thread: Re: difference in groups
Next by thread: Re: ADAM Install Error - Error Code: 0x8008041d
Index(es):
- Date
- Thread

Relevant Pages

Re: AD Design
... Within a new domain the domain admins can administer the complete domain, ... If you add them to the Enterprise admins, they are able to administer the complete forest. ... By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. ...
(microsoft.public.windows.server.active_directory)
Re: Opening workstation event view = Access Denied
... You can add domain groups (or user accounts) to local groups using Restricted Groups in a GPO. ... In a domain of any size, you might NOT want the people that administer workstations to be Domain Admins. ... You can then designate which user accounts are workstation administrators without also granting them administrative rights to the whole domain. ... being a member of the Domain Admins group does NOT necesarily mean you are an administrator on the domain member computer. ...
(microsoft.public.windows.server.active_directory)
Re: How to make give cross-domain "Domain Admins" permissions
... that "Domain Admins" do. ... Domain Admins don't have any special permissions, ... member of administrators on every domain member and the ...
(microsoft.public.windows.server.active_directory)
Re: Opening workstation event view = Access Denied
... Domain Admins gets added to the local group called Administrators. ... being a member of the Domain Admins group does NOT necesarily mean you ... Remote Desktop Users pmd.local/Builtin ...
(microsoft.public.windows.server.active_directory)
Add groups to Local Admin group
... I created a .bat file with the following command... ... >the local PC's Administrators group. ... >another domain group to also be a member of the ... >be a member of Domain Admins. ...
(microsoft.public.win2000.security)