Re: True difference between Domain Admin grp and Administrators Group
- From: "Michael Giorgio - MS MVP" <Michael.Giorgio@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 6 Apr 2005 15:59:09 -0400
The answer is: They lose nothing. The domain admin group
is a member of the domain "administrator" group by default.
I can think of one main difference off the top of my head:
The domain admin group not only has local administrator
access to all DCs like the domain "administrator" group but
it also has local "administrative" access to all domain members
as well. When a computer joins the domain the domain admin
group is automatically added to the local "administrators" group.
The domain "administrators" group is a local group and the
"domain admin" group is a global group. Below is the official
explaination from Windows Server 2003 Help and Support:
Domain Admins
Description:
Members of this group have full control of the domain. By default, this
group is a member of the Administrators group on all domain controllers, all
domain workstations, and all domain member servers at the time they are
joined to the domain. By default, the Administrator account is a member of
this group. Because the group has full control in the domain, add users with
caution.
Default User Rights:
Access this computer from the network; Adjust memory quotas for a process;
Back up files and directories; Bypass traverse checking; Change the system
time; Create a pagefile; Debug programs; Enable computer and user accounts
to be trusted for delegation; Force a shutdown from a remote system;
Increase scheduling priority; Load and unload device drivers; Allow log on
locally; Manage auditing and security log; Modify firmware environment
values; Profile single process; Profile system performance; Remove computer
from docking station; Restore files and directories; Shut down the system;
Take ownership of files or other objects.
Administrators
Description:
Members of this group have full control of all domain controllers in the
domain. By default, the Domain Admins and Enterprise Admins groups are
members of the Administrators group. The Administrator account is also a
default member. Because this group has full control in the domain, add users
with caution.
Default User rights:
Access this computer from the network; Adjust memory quotas for a process;
Back up files and directories; Bypass traverse checking; Change the system
time; Create a pagefile; Debug programs; Enable computer and user accounts
to be trusted for delegation; Force a shutdown from a remote system;
Increase scheduling priority; Load and unload device drivers; Allow log on
locally; Manage auditing and security log; Modify firmware environment
values; Profile single process; Profile system performance; Remove computer
from docking station; Restore files and directories; Shut down the system;
Take ownership of files or other objects.
"Rob" <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:
> All.
>
> I am trying to come up with a true reason adn difference between the
> Administrators group and the Domain Admins group. OTHER THAN... the fact
that
> Administrators have local access and control. If in the Domain Admins
what
> else do they lose??
>
> Also.. What the heirarchy of all teh Built in user groups..
>
> Thanks
>
> r
.
- References:
- Prev by Date: Re: Backup Failing With VSS Events 12292 & 11
- Next by Date: Restrict Access to Local Admins group
- Previous by thread: True difference between Domain Admin grp and Administrators Group
- Next by thread: Username & Password not available on server?
- Index(es):
Relevant Pages
|
