none
When to use a Local Administrator or Domain Admin account

    Question

  • This question is about the Built-In Administrator account, a user-created Local Administrator account, and a user-created Domain Admin account.  The environment for the question is on a domain.

    • On any computer, workstation or server, are there any situations where you should use one account over the other?
    • Are there any limitations to be considered when choosing one over the other?
    • If you use a user-created domain account to authorize events in UAC, what happens if the account ceases to exist (e.g., workstation leaves the domain).

    Some examples that I am wondering if the choice of account matters are

    • Installing software applications
    • Installing hardware drivers
    • Installing server software (e.g., SQL, Exchange, Project, Lync)

    Your feedback is appreciated.  Please note that I am not asking when to use an Admin account over a Standard account.

    Tuesday, February 12, 2013 10:41 PM

Answers

  • On any computer, workstation or server, are there any situations where you should use one account over the other?

    As you might already know, when a computer is joined to the domain, Domain Admins group is added to the local administrators group on that computer; whoever is member of member of Domain Admins group will have Local Admin rights on all the computers, servers which are part of the domain.

    Domain Admin rights are not usually needed most of the time. If you would like to edit group policies using RSAT from a member server or a client machine then user ID need to have rights to edit Group Policies or  Domain Admin privileges. Similarly, for managing services like DNS, DHCP etc... delegated accounts can be used or a domain admin account can be used. Domain Admin will have unrestircted access on domain hence that permission needs to be granted cautiously.

    Are there any limitations to be considered when choosing one over the other?

    As I mentioned above, Domain Admin account should be used only when necssary, most the software, driver instalaltion or File Modification operations can be performed with the help of local admin account or the domain account with local admin permissions on specific machine.

    If you use a user-created domain account to authorize events in UAC, what happens if the account ceases to exist (e.g., workstation leaves the domain).

    If work station leaves the domain, user with domain admin permissions annot log on to the computer. Computer needs to be re added to domain to logon to the machine with domain accounts.

    • Installing software applications
    • Installing hardware drivers

    For both Local Admin permissions are enough, domain admin can also do that however not necessarily needed.

    • Installing server software (e.g., SQL, Exchange, Project, Lync)

    Deployment Permissions for SQL Server

    Exchange 2010 Deployment Permissions Reference

    Lync Server Group Membership Requirements

    User accounts and permissions needed to install and configure Project Server and related components

    HTH


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on Alternate Text Vote As Helpful & click on Alternate Text Mark As Answer if a post answers your question.

    Wednesday, February 13, 2013 11:48 AM
    Moderator
  • I imagine SQL would stop working as soon as you rebooted having disjoined the server from the domain, since the login would no longer be valid / exist since it doesn't exist locally and there's no way to access it any more. You'd then have to edit the service settings to get it to start using another login, after which you'd be able to start the service.

    I think SQL would then start, however you'd be unable to admin it having no sysadmin member on the server (unless you used mixed mode and knew the sa password). However you'd then have to start the service in single user mode at which point you can access SQL using the local admin details, and add the required users to the sysadmin role to get things working again.

    Obviously this is an educated guess, since just like you I'm not prepared to screw up a server to test it out! :-)

    Wednesday, September 25, 2013 9:59 PM

All replies

  • On any computer, workstation or server, are there any situations where you should use one account over the other?

    As you might already know, when a computer is joined to the domain, Domain Admins group is added to the local administrators group on that computer; whoever is member of member of Domain Admins group will have Local Admin rights on all the computers, servers which are part of the domain.

    Domain Admin rights are not usually needed most of the time. If you would like to edit group policies using RSAT from a member server or a client machine then user ID need to have rights to edit Group Policies or  Domain Admin privileges. Similarly, for managing services like DNS, DHCP etc... delegated accounts can be used or a domain admin account can be used. Domain Admin will have unrestircted access on domain hence that permission needs to be granted cautiously.

    Are there any limitations to be considered when choosing one over the other?

    As I mentioned above, Domain Admin account should be used only when necssary, most the software, driver instalaltion or File Modification operations can be performed with the help of local admin account or the domain account with local admin permissions on specific machine.

    If you use a user-created domain account to authorize events in UAC, what happens if the account ceases to exist (e.g., workstation leaves the domain).

    If work station leaves the domain, user with domain admin permissions annot log on to the computer. Computer needs to be re added to domain to logon to the machine with domain accounts.

    • Installing software applications
    • Installing hardware drivers

    For both Local Admin permissions are enough, domain admin can also do that however not necessarily needed.

    • Installing server software (e.g., SQL, Exchange, Project, Lync)

    Deployment Permissions for SQL Server

    Exchange 2010 Deployment Permissions Reference

    Lync Server Group Membership Requirements

    User accounts and permissions needed to install and configure Project Server and related components

    HTH


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on Alternate Text Vote As Helpful & click on Alternate Text Mark As Answer if a post answers your question.

    Wednesday, February 13, 2013 11:48 AM
    Moderator
  • On any computer, workstation or server, are there any situations where you should use one account over the other?

    ...

    If you would like to edit group policies using RSAT from a member server or a client machine then user ID need to have rights to edit Group Policies or  Domain Admin privileges. Similarly, for managing services like DNS, DHCP etc... delegated accounts can be used or a domain admin account can be used. 

    Are there any limitations to be considered when choosing one over the other?


    If you use a user-created domain account to authorize events in UAC, what happens if the account ceases to exist (e.g., workstation leaves the domain).

    If work station leaves the domain, user with domain admin permissions cannot log on to the computer. 

    • Installing software applications
    • Installing hardware drivers
    • Installing server software (e.g., SQL, Exchange, Project, Lync)

    Deployment Permissions for SQL Server

    Exchange 2010 Deployment Permissions Reference

    Lync Server Group Membership Requirements

    User accounts and permissions needed to install and configure Project Server and related components


    Regards, Santosh  

    I accept your answer to the first question, which I feel also answers the second; but I do not feel Question 3 was answered.  Therefore, I'd like to give an example scenario.

    On Server1.contoso.com

    • Create a domain user called sql_admin
    • Add sql_admin to Domain Admins group

    On PC1.contoso.com

    • Logon using sql_admin
    • Install SQL Server
    • Add only contoso\sql_admin to the sysadmin role on SQL Server
    • Add local user accounts to the dbcreator role on SQL Server

    Now what will happen with SQL Server if PC1 is removed from the contoso domain?  Will it continue to be accessible now that the sql_admin account is no longer available?  Granted domain services will no longer be accessible, but will the local users still be able to use SQL locally?

    Note: I'd love to test this out and see for myself, but something like SQL Server is troublesome to install/uninstall repeatedly.

    Wednesday, September 25, 2013 9:28 PM
  • I imagine SQL would stop working as soon as you rebooted having disjoined the server from the domain, since the login would no longer be valid / exist since it doesn't exist locally and there's no way to access it any more. You'd then have to edit the service settings to get it to start using another login, after which you'd be able to start the service.

    I think SQL would then start, however you'd be unable to admin it having no sysadmin member on the server (unless you used mixed mode and knew the sa password). However you'd then have to start the service in single user mode at which point you can access SQL using the local admin details, and add the required users to the sysadmin role to get things working again.

    Obviously this is an educated guess, since just like you I'm not prepared to screw up a server to test it out! :-)

    Wednesday, September 25, 2013 9:59 PM
  • I imagine SQL would stop working as soon as you rebooted having disjoined the server from the domain, since the login would no longer be valid / exist since it doesn't exist locally and there's no way to access it any more. You'd then have to edit the service settings to get it to start using another login, after which you'd be able to start the service.

    I think SQL would then start, however you'd be unable to admin it having no sysadmin member on the server (unless you used mixed mode and knew the sa password). However you'd then have to start the service in single user mode at which point you can access SQL using the local admin details, and add the required users to the sysadmin role to get things working again.

    Obviously this is an educated guess, since just like you I'm not prepared to screw up a server to test it out! :-)


    Keith is absolutely correct ! In fact, I had to face such situations in the past.

    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here, are my own and posted AS IS.

    Thursday, September 26, 2013 2:44 AM
    Moderator