Domain Admins vs. Administrators in Windows AD DC [closed]
Before a Domain Controller is promoted to that role, it is a simple workgroup (standalone) server and has a local Administrator account and a local Administrators group. When you create a domain, those accounts don't go away; they're incorporated into the domain as the domain Administrator account and the domain builtin\Administrators group.
The builtin\Administrators group has Administrative access to the Domain Controllers, but is not automatically granted administrative access to all computers within the domain, whereas Domain Admins are.
The domain admins group, and the AD builtin\Adminstrators group (not the local admin group on clients) effectively grant users in them the same rights, however there are some subtle differences:
- builtin\administrators is a domain local group, where as domain admins is a global group
- Domain admins are a memeber of builtin\administrators
- Domain admins are a member of the local admins group on each client pc
- The builtin\administrators group is there to provide backwards compatibility with pre-AD systems
The bultin/administrators group is created by default when you install Windows. This group has complete and unrestricted access to the computer. By default the only user account that is a member of this group is Administrator.
The Domain Administrators group is only present in a Windows domain. This group has complete and unrestricted access to the entire domain, able to logon to any pc or server that is a member of the domain.
When a pc/server is added to a domain, the domain admins group automatically becomes a member of the builtin/administrators group, thus providing the domain administrators administrator-level access to the computer.
If you moved an account from the domain admins group to the builtin/adminstrators group, that account would be able to administer that local computer but nothing else, unless you added the account to other builtin/adminstrators groups.