anothracount
MIS
I m not sure what the difference between administrators vs domain admins in AD windwos 2003 enviorment.
Its confiusing me
Its confiusing me
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Administrators vs domain admins
- Thread starter anothracount
- Start date
- Status
Do you mean the local administrator group or the administrator group on the domain?
Domain admins are automatically members of the local admin group on any machine in the domain.
Domain admins are also members of the built in domain local Administrators group.
The built in Administrator group has control over that machine only whereas the domain admins have control over the domain.
Domain admins are automatically members of the local admin group on any machine in the domain.
Domain admins are also members of the built in domain local Administrators group.
The built in Administrator group has control over that machine only whereas the domain admins have control over the domain.
- Thread starter
- #3
anothracount
MIS
I undrestand the difference between local admin and domian admins, but what i dont undrestand is that why would there be a administrators group in AD, wouldnt the admin for the domain controller have full admin rights to the domain as well?
Hope this helps
The administrators group is installed when you first install the Server [so it's now a member server]. This is the local machine administrators security group account.
When you promote a server to a Domain Controller, to include DNS, Active Directory, the domain administrators security group is added to administer the Active Directory domain.
You can log on to the local machine using the local machine administrators account OR you can log on to the domain with the domain administrators account.
The administrators group is installed when you first install the Server [so it's now a member server]. This is the local machine administrators security group account.
When you promote a server to a Domain Controller, to include DNS, Active Directory, the domain administrators security group is added to administer the Active Directory domain.
You can log on to the local machine using the local machine administrators account OR you can log on to the domain with the domain administrators account.
- Thread starter
- #5
anothracount
MIS
Thank you, so the local admin of the Domain controller can not login to the domain.
Thank you very much.
Thank you very much.
just a follow up to provide more info...
A domain controller doesnt technically have a local SAM database like a desktop or member server would, as it is replaced by direct lookups to AD only.
I say technically doesn't, because it really does, its simply "disabled" so to speak.
The only thing the local SAM db on a DC holds after dc promotion is the DS recovery mode administrator account, which is only used in DS restore mode, which cannot contact AD since it disables those calls temporarily, hence reverting to the local SAM.
-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+
A domain controller doesnt technically have a local SAM database like a desktop or member server would, as it is replaced by direct lookups to AD only.
I say technically doesn't, because it really does, its simply "disabled" so to speak.
The only thing the local SAM db on a DC holds after dc promotion is the DS recovery mode administrator account, which is only used in DS restore mode, which cannot contact AD since it disables those calls temporarily, hence reverting to the local SAM.
-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+
- Status
Similar threads