21

Having read in the Microsoft Docs article Default groups the description of these two groups:

Domain Admins

Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution."

Administrators

Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution."

and that the same article states both groups have exact same description of their Default user rights:

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

Further, the Microsoft Docs article Default local groups includes this description of the Administrators group:

Members of this group have full control of the server and can assign user rights and access control permissions to users as necessary. The Administrator account is also a default member. When this server is joined to a domain, the Domain Admins group is automatically added to this group..."

[emphasis mine]

Given the above, I do not understand:

  1. What are the differences between them?
  2. When to use which in their default incarnation?
  3. How to specialize their engagement?
  4. If the Domain Admins are members of Administrators, doesn't it make them always equal?

This question is sub-question of and asked in context of the question Is the context of local user of AD-joined machine a domain machine account or of local machine account?

I say Reinstate Monica
  • 3,142
Gennady Vanin Геннадий Ванин
  • 687

4 Answers4

18

Before a Domain Controller is promoted to that role, it is a simple workgroup (standalone) server and has a local Administrator account and a local Administrators group. When you create a domain, those accounts don't go away; they're incorporated into the domain as the domain Administrator account and the domain builtin\Administrators group.

The builtin\Administrators group has Administrative access to the Domain Controllers, but is not automatically granted administrative access to all computers within the domain, whereas Domain Admins are.

gWaldo
  • 12,027
13

The domain admins group, and the AD builtin\Adminstrators group (not the local admin group on clients) effectively grant users in them the same rights, however there are some subtle differences:

  • builtin\administrators is a domain local group, where as domain admins is a global group
  • Domain admins are a memeber of builtin\administrators
  • Domain admins are a member of the local admins group on each client pc
  • The builtin\administrators group is there to provide backwards compatibility with pre-AD systems
Sam Cogan
  • 39,089
6

The bultin/administrators group is created by default when you install Windows. This group has complete and unrestricted access to the computer. By default the only user account that is a member of this group is Administrator.

The Domain Administrators group is only present in a Windows domain. This group has complete and unrestricted access to the entire domain, able to logon to any pc or server that is a member of the domain.

When a pc/server is added to a domain, the domain admins group automatically becomes a member of the builtin/administrators group, thus providing the domain administrators administrator-level access to the computer.

If you moved an account from the domain admins group to the builtin/adminstrators group, that account would be able to administer that local computer but nothing else, unless you added the account to other builtin/adminstrators groups.

aleroot
  • 3,248
5

This is a question with a simple and a complicated answer.

Simple answer is always use the domain admins group.

Complicated answer is that that domain admins gives admin to everything (DCs, servers and workstations) on the domain. builtin\Administrators initially only gives access to all DCs (it is a local group but gets replicated) but not servers or workstations. However admin access to a DC gives the ability to elevate themselves to domain admin. So from a security pov they are equivalent.

The main reason builtin\administrators exists is so that programs checking for admin access can check the same place on any machine.

DCs are the keys to your castle, you can never give admin to one and not another (effectively) or to the local server and not the whole domain so should not have programs/files that require local admin access only on them.

JamesRyan
  • 8,204