Re: AD administrators and domain admins groups
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Fri, 28 Apr 2006 10:20:06 -0400
Domain Admins is a group with domain affinity, so that means that you can add Domain Admins to groups on machines anywhere that trusts the domain (workstations, servers, other domain's, etc). This is why you can manage workstations, etc in the domain if you have domain admins rights, the domain admin group was added the local admins groups on the machines.
Other than that, look at the ACLs on AD objects and that will tell you what an Admin can do versus a Domain Admin or even an Enterprise Admin. The permissions do vary, however, any one of those groups can easily attain the permissions of the other on a DC.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
OM wrote:
Hi,.
What is the main difference, in terms of user privilege, between the administrators group and domain admins group in active directory? Accounts in either groups allow me to manage AD. It seems that only the domain admins group can administer domain workstations and servers.
Thanks
OM
- References:
- Prev by Date: Re: Maximum machine account password age
- Next by Date: Re: format of service principal name (SPN)
- Previous by thread: AD administrators and domain admins groups
- Next by thread: Windows Defender conflicts with spooler
- Index(es):
Relevant Pages
|
