When to use a Local Administrator or Domain Admin account
-
Tuesday, February 12, 2013 10:41 PM
This question is about the Built-In Administrator account, a user-created Local Administrator account, and a user-created Domain Admin account. The environment for the question is on a domain.
- On any computer, workstation or server, are there any situations where you should use one account over the other?
- Are there any limitations to be considered when choosing one over the other?
- If you use a user-created domain account to authorize events in UAC, what happens if the account ceases to exist (e.g., workstation leaves the domain).
Some examples that I am wondering if the choice of account matters are
- Installing software applications
- Installing hardware drivers
- Installing server software (e.g., SQL, Exchange, Project, Lync)
Your feedback is appreciated. Please note that I am not asking when to use an Admin account over a Standard account.
All Replies
-
Wednesday, February 13, 2013 2:50 AM
If you installing software that doesn't require domain resources such as hardware drivers & firmware, definetaly you can use local administrator
But if you need domain resources such as server software, installing local administrator will cause problem
- Proposed As Answer by ArnavSharma Wednesday, February 13, 2013 5:24 AM
- Marked As Answer by Santosh BhandarkarMicrosoft Community Contributor, Moderator Monday, February 18, 2013 9:17 AM
-
Wednesday, February 13, 2013 11:48 AMModerator
On any computer, workstation or server, are there any situations where you should use one account over the other?
As you might already know, when a computer is joined to the domain, Domain Admins group is added to the local administrators group on that computer; whoever is member of member of Domain Admins group will have Local Admin rights on all the computers, servers which are part of the domain.
Domain Admin rights are not usually needed most of the time. If you would like to edit group policies using RSAT from a member server or a client machine then user ID need to have rights to edit Group Policies or Domain Admin privileges. Similarly, for managing services like DNS, DHCP etc... delegated accounts can be used or a domain admin account can be used. Domain Admin will have unrestircted access on domain hence that permission needs to be granted cautiously.
Are there any limitations to be considered when choosing one over the other?
As I mentioned above, Domain Admin account should be used only when necssary, most the software, driver instalaltion or File Modification operations can be performed with the help of local admin account or the domain account with local admin permissions on specific machine.
If you use a user-created domain account to authorize events in UAC, what happens if the account ceases to exist (e.g., workstation leaves the domain).
If work station leaves the domain, user with domain admin permissions annot log on to the computer. Computer needs to be re added to domain to logon to the machine with domain accounts.
- Installing software applications
- Installing hardware drivers
For both Local Admin permissions are enough, domain admin can also do that however not necessarily needed.
- Installing server software (e.g., SQL, Exchange, Project, Lync)
Deployment Permissions for SQL Server
Exchange 2010 Deployment Permissions Reference
Lync Server Group Membership Requirements
User accounts and permissions needed to install and configure Project Server and related components
HTH
Regards, Santosh
I do not represent the organisation I work for, all the opinions expressed here are my own.
This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
Whenever you see a helpful reply, click onVote As Helpful & click on
Mark As Answer if a post answers your question.
- Marked As Answer by Santosh BhandarkarMicrosoft Community Contributor, Moderator Monday, February 18, 2013 9:17 AM
.png)
