Looking for definitive document on differences between built in Administrator and those in local administrator group in Windows 7
14. března 2012 13:00
Executive summary questions:
With Windows 7, what are the functional differences between the built in Administrator account and a domain account put into the local admin group?
Is there a way to make a domain account put into the local admin group equivalent in powers to the built in Administrator (as it was in XP)? [*without* disabling UAC, as I saw one suggestion in another thread]
Is there any official documentation/MS Whitepaper that delves into this topic?
Slightly longer rambling:
I've been frustrated by situations where we need to use the local administrator account to accomplish some task or install certain software. The password to builtin\administrator is NOT something I want to be passing around to the entire IT department. If one does an Internet search on "build in administrator Windows 7" (or something along that line) there is a lot of off-the-cuff discussion about how the built in administrator is different in that it is not a split token (as with accounts put into the local administrators group), but I haven't seen any authoritative references, discussion or documentation about what exactly "builtin\Administrator" can do but "domain\AdminInLocalAdminsGroup" cannot, or how the latter account can be given equivalent powers to the former.
If anyone can answer the above questions and/or point me to a really good resource on this topic (I've searched the MS web site, MS Premier and the net in general) they will have my eternal gratitude.
16. března 2012 9:14
We can make a domain account put into the local admin group, you can install/uninstall or update without problems.
There are three kinds of accounts, built in Administrator, domain administrator and domain account in local admin group.
Domain admins are automatically members of the local Administrator group but not vice versa. This means that a local admin has no access to servers or other PCs unless the account names & passwords are synchronized.
If the local network disconnect and the cache is refreshed, sometimes you will find that the built in Administrator can logon but the domain\Admin in local admin group cannot.
16. března 2012 12:40Thanks for your reply. I'm aware of the differences between local and domain accounts, the issue is that in Windows 7 a domain account that is a member of the local administrator group (whether automatically by virtue of being a Domain Admin or not) does not have the same powers on the machine as the built in Administrator. I want to know exactly what those practical differences are (e.g. registry keys that can't be modified, etc) an what can be done to make Windows 7 non-built-in-but-local-administrators behave just like XP/Win2K/NT.
19. března 2012 8:34
I think that maybe UAC is the reason why you ask this question. If you disable UAC in Winodws 7, the non-built-in but loacal administrator behaves no difference between Windows 7 and Windows XP. There is only one built-in Administrator but you may create lots of accounts in local aministrators group. As we all know, the SID of built-in and other administrators are different. This makes for bad programming logic by third party. So UAC has been designed since Windows Vista.
User Account Control Step-by-Step Guide
Hope that helps.
19. března 2012 12:34
I'm sorry but I don't ask the question because of UAC. I ask the question because we've run into engineering matters where only the local admin account count accomplish a task. I'll just get the specifics and open a ticket with technical support.
20. března 2012 3:41
Usually there is no problem to accomplish some task and install certain software with local administrator account. So could you describe your task or installation detailedly?
- Upravený Ivan-Liu 20. března 2012 4:45
22. června 2012 13:19
Was hopping a clear answer, thanks for people trying to help, but always the same Captain Obvious answers (IVan-Liu, you seem very nice but do you really read what Bill_Ky wrote ? "usually there is no problem to accomplish some tak and install certain sw with local admin account" are you serious dude ? that's exactly what Bill_Ky is explaining since the beginning !).
let me try to explain it as simple as possible :
=> When using a domain account, that is well added in local admins group, and so, supposed to have admin rights, I am not able to install certain programs (not all of them, only some) while using the local administrator account allow me without any problem. WHY ?
Right click "run as admin" does not help, disabling UAC neither.
UAC prompt or not, UAC enabled or not, I can do one thing with local admin, not with an account part of local admins group.
Still waiting for the real specialist to answer this...
- Upravený H51angfu 22. června 2012 13:23
20. května 2013 9:28
H51angfu did you find an answar on another website? I was looking for an answer to the same question
- Upravený M.DP 20. května 2013 9:38
20. května 2013 12:15I can tell you that I haven't seen a definitive answer for this either, and occasionally still run into frustrations because of it. Recently I was reading docs on a product that said a local administrator was required (specifically stating that a domain account in local admins wasn't good enough)-- but with no explanation. I went against the docs and the product has been running fine using a Domain account, but the FUD surrounding this feeds what I call "Give me a dedicated X syndrome". Where X might be "dedicated server" for a tiny app, a dedicated Domain Admin account when domain admin powers aren't necessary, etc, etc.
23. května 2013 12:46
Hi Bill, thanks for your answer, I agree, it is curious that there isn't any documentation around regard this problem, and neither microsoft can clarify this issue. I think it's important to know the difference, in my case I want to disable builtin admin for security reasons, and use another account for administering
- Upravený M.DP 23. května 2013 12:47