Domain Admins vs. Administrators in Windows AD DC

Question

Having read in the Microsoft Docs article Default groups the description of these two groups:

Domain Admins

Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution."

Administrators

Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution."

and that the same article states both groups have exact same description of their Default user rights:

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

Further, the Microsoft Docs article Default local groups includes this description of the Administrators group:

Members of this group have full control of the server and can assign user rights and access control permissions to users as necessary. The Administrator account is also a default member. When this server is joined to a domain, the Domain Admins group is automatically added to this group..."

[emphasis mine]

Given the above, I do not understand:

What are the differences between them?
When to use which in their default incarnation?
How to specialize their engagement?
If the Domain Admins are members of Administrators, doesn't it make them always equal?

This question is sub-question of and asked in context of the question Is the context of local user of AD-joined machine a domain machine account or of local machine account?

vgv8 you have changed your question and accepted an answer that did not properly answer your original question! You seem to have pulled this trick on several of your questions. I advise you learn how to use stack overflow properly. — JamesRyan, Aug 26 '10 at 09:10
@JamesRyan, what have I changed in my question???? The only thing I changed in my post was adding Update1. — Gennady Vanin Геннадий Ванин, Aug 26 '10 at 09:27
Your original question was how are they different in a domain. The updates and comments have subtly but significantly changed it to how are the different on a specific machine. — JamesRyan, Aug 26 '10 at 09:57
@JamesRyan, plz see the "Linked" section to the right. This is subquestion to and in context of parent question http://serverfault.com/questions/173550/the-context-of-local-user-of-ad-joined-machine-is-it-of-domain-machine-account-o I NEVER change question. I was banned in SU for duplications (there is no need to mention what is automatically provided by site) — Gennady Vanin Геннадий Ванин, Aug 26 '10 at 10:51
This question is confusing and has changed over the course of it's life, it is now significantly different to when it was asked. Consequently there are a number of answers here, that are all answering different questions. In future, if the focus of your question changes significantly, please ask a new question. — Sam Cogan, Aug 26 '10 at 11:02
I've rolled this back to remove all the extraneous crap that has no relevance. — John Gardeniers, Aug 26 '10 at 12:19

gWaldo · Accepted Answer · 2014-11-05T13:01:32.027

16

Before a Domain Controller is promoted to that role, it is a simple workgroup (standalone) server and has a local Administrator account and a local Administrators group. When you create a domain, those accounts don't go away; they're incorporated into the domain as the domain Administrator account and the domain builtin\Administrators group.

The builtin\Administrators group has Administrative access to the Domain Controllers, but is not automatically granted administrative access to all computers within the domain, whereas Domain Admins are.

edited Nov 05 '14 at 13:01

answered Aug 25 '10 at 12:38

gWaldo

11,887
8
41
68

Hi, Waldo, I believed that Domain Admins are granted access to all computers by including them in local Administrators group on all domained computers, See the citation in my main post: "By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain". I believed that nobody has access to my computer, domained or not, if I remove such permissions (or inclusions). True? – Gennady Vanin Геннадий Ванин Aug 25 '10 at 14:09
+1, anyway it was useful to me as dummy having no access to AD/DC – Gennady Vanin Геннадий Ванин Aug 25 '10 at 14:23
2

Off the top of my head (and I don't have virgin domain to check, nor resources to build one), the addition of Domain Admins to the local Administrators group of each machine is part of the Default Domain Policy GPO. If this is the case, you can certainly remove Domain Admins from your local Admins group, but they'll be put back in during the next Policy refresh (By default every 90 + [0-30] minutes.) – gWaldo Aug 25 '10 at 14:39
How is it? I understood from http://serverfault.com/questions/173550/the-context-of-local-user-of-ad-joined-machine-is-it-of-domain-machine-account-o/173560#173560 and follow-up that local groups and users on client domained PCs are exactly the same as on workgroup (non-joined or pre-joined to domain) computers and are unknown to domain (AD DC)... – Gennady Vanin Геннадий Ванин Aug 25 '10 at 14:56
I marked this post as answer since it answered my main question I was after (in all reincarnations of subquestions ): Should I have second dual-boot workgroup Windows (in addition to domained Windows) in order to develop independently on domain restrictions and all answers were dwelling to prove me that there is no difference between local user before joining a machine to domain and after! http://serverfault.com/questions/169807/how-to-better-set-up-machine-for-development-both-in-workgroup-and-windows-domain – Gennady Vanin Геннадий Ванин Aug 25 '10 at 16:33
this answer is not correct. When someone is added to builtin\administrators on 1 DC they are added to it on all DCs in the domain – JamesRyan Aug 26 '10 at 09:06
@JamesRyan, I marked this post because it was helpful to me, I upvoted other posts and comments. Can you give a reference? I always thought that the term "replication" is applied to databases, in this case to AD database. I also thought that what is added to local groups is forced by GPO and and only domain users and groups are centrally managed and replicated through AD database. Besides, in parent questions of this subquestion I was told that there is no difference between local users and groups before joining machine to AD and after joining it to AD. – Gennady Vanin Геннадий Ванин Aug 26 '10 at 09:58
@JamesRyan, note that gWaldo was the only who responded to my comments, others ignored them. He might not be correct, though I do not see where yet, but he was helpful and cooperative on my question and difficulties in the area – Gennady Vanin Геннадий Ванин Aug 26 '10 at 10:08
1

@JamesRyan read it again (it's not edited): The builtin\Administrators group has Administrative access to the Domain Controllers, but is not automatically granted administrative access to all computers within the domain, whereas Domain Admins are. Controllers. Plural. – gWaldo Aug 26 '10 at 12:16
yeah I guess you can read that way, its at least not very clear that it doesn't just apply to the ones that were upgraded. – JamesRyan Aug 26 '10 at 12:45

score 12 · Answer 2 · answered Aug 25 '10 at 09:09

The domain admins group, and the AD builtin\Adminstrators group (not the local admin group on clients) effectively grant users in them the same rights, however there are some subtle differences:

builtin\administrators is a domain local group, where as domain admins is a global group
Domain admins are a memeber of builtin\administrators
Domain admins are a member of the local admins group on each client pc
The builtin\administrators group is there to provide backwards compatibility with pre-AD systems

score 5 · Answer 3 · answered Aug 25 '10 at 06:14

5

The bultin/administrators group is created by default when you install Windows. This group has complete and unrestricted access to the computer. By default the only user account that is a member of this group is Administrator.

The Domain Administrators group is only present in a Windows domain. This group has complete and unrestricted access to the entire domain, able to logon to any pc or server that is a member of the domain.

When a pc/server is added to a domain, the domain admins group automatically becomes a member of the builtin/administrators group, thus providing the domain administrators administrator-level access to the computer.

If you moved an account from the domain admins group to the builtin/adminstrators group, that account would be able to administer that local computer but nothing else, unless you added the account to other builtin/adminstrators groups.

answered Aug 25 '10 at 06:14

aleroot

3,160
5
28
37

3

I believe he is talking about the administrators group in AD, not the local admin group on client PC's – Sam Cogan Aug 25 '10 at 09:04
Who is "he"? If "he" is vgv8 then I just did put a bunch of quotations asking to clarify them to me! – Gennady Vanin Геннадий Ванин Aug 25 '10 at 14:44
1

aleroot is right in that it IS the local admin group but incorrect in that it does behave differently on a DC – JamesRyan Aug 26 '10 at 09:13
@JamesRyan, +1 for trying to explain me. The answer by aleroot just reiterated what I cited in my question. I do not see in which part it says that local Administrators group "does behave differently on a DC". In other comment you stated that this (local Administrators) group is replicated between DCs. How can the behavior be the same on a server before promoting it to DC? – Gennady Vanin Геннадий Ванин Aug 26 '10 at 10:17
@Sam Cogan, I am talking about how local Administrators group of a non-domained server/workstation is changed (or not?) by computer joining to AD (that is, on client machine) . In the parent post I was answered that there is no difference in local groups and users before joining and after. – Gennady Vanin Геннадий Ванин Aug 26 '10 at 10:35
Now, a server can be promoted to DC instead of being a client. What does it change? If all local Administrators group on all domained computers are added by Domain Admins group? – Gennady Vanin Геннадий Ванин Aug 26 '10 at 10:39
you would need to check but I think that when you dcpromo existing members of builtin\administrators on that specific machine are lost and replaced with the domain ones – JamesRyan Aug 26 '10 at 12:48

JamesRyan · Answer 4 · 2010-08-25T11:41:48.690

5

This is a question with a simple and a complicated answer.

Simple answer is always use the domain admins group.

Complicated answer is that that domain admins gives admin to everything (DCs, servers and workstations) on the domain. builtin\Administrators initially only gives access to all DCs (it is a local group but gets replicated) but not servers or workstations. However admin access to a DC gives the ability to elevate themselves to domain admin. So from a security pov they are equivalent.

The main reason builtin\administrators exists is so that programs checking for admin access can check the same place on any machine.

DCs are the keys to your castle, you can never give admin to one and not another (effectively) or to the local server and not the whole domain so should not have programs/files that require local admin access only on them.

edited Aug 25 '10 at 11:41

answered Aug 25 '10 at 11:34

JamesRyan

8,138
2
24
36

+1 @JamesRyan, "it is a local group but gets replicated". Funny, because in http://serverfault.com/questions/173550/the-context-of-local-user-of-ad-joined-machine-is-it-of-domain-machine-account-o I was unanimously answered that local groups/accounts are not recognized outside of local computer. Though in http://serverfault.com/questions/174196/workgroup-windows-users-or-groups-can-use-domain-accounts-but-not-vice-versa I questioned this "anonymity" since Administrator and Administrators have "Well-known Security Identifiers", see http://technet.microsoft.com/en-us/library/cc978401.aspx – Gennady Vanin Геннадий Ванин Aug 25 '10 at 14:20
Is it replicated as a well-known to Windows group or as a local group, I wonder? – Gennady Vanin Геннадий Ванин Aug 25 '10 at 14:22
Why was this voted down when it is the right answer? Not the answer you wanted? – JamesRyan Aug 26 '10 at 09:12
@JamesRyan, I upvoted your answer as helpful. My rating is around 50 and I have never had in any site of trilogy 100 needed for downvoting! Also, AFAIK, I cannot downvote after upvote – Gennady Vanin Геннадий Ванин Aug 26 '10 at 09:32
I was talking to the downvoters – JamesRyan Aug 26 '10 at 09:55
+1. You're right, especially about the recommendation to use the DA group. – gWaldo Aug 26 '10 at 12:24

Domain Admins vs. Administrators in Windows AD DC

4 Answers4

Linked