none
What kind of Group scope can be add as a member of "Builtin Local" groups (e.g. Builtin\Administrators)?

    Question

  • I search about the definition and the discussion about "Builtin Local" group, but still not found any useful information about the question on my topic.

    I encounter the issue of adding member to Builtin\Administrators group on AD. I saw the "Type" description on Builtin\Administrators group is "Security Group - Domain Local", but when I check the Properties details under the Group scope it shown as "Builtin Local", I don't know the difference between the domain local and builtin local, as its Type is "Security Group - Domain Local", I believe the "Builtin Local" shares the same characteristic as "Domain Local Group", members can be "Domain Local(Same domain)", "Global Group", "Universal Group".

    Reference: https://ss64.com/nt/syntax-groups.html

    But the truth is "Builtin Local" act like the "Universal Group", it only able to add "Global Group" and "Universal Group" as member.

    Any documents from Microsoft have description on these behavior about the "Builtin Local" group?

    Tuesday, March 21, 2017 1:34 AM

Answers

  • Hi NineS_KO,

    You could refer to the document from Microsoft,

    Built-in local groups  that have a special group scope that have domain local permissions and, for simplicity, are often referred to as domain local groups. The difference between built-in local groups and other groups is that built-in local groups can't be created or deleted. You can only modify built-in local groups. References to domain local groups apply to built-in local groups unless otherwise noted.

    https://msdn.microsoft.com/en-us/library/bb726978.aspx

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Richard MuellerMVP Tuesday, March 21, 2017 9:46 AM
    • Marked as answer by NineS_KO Thursday, March 23, 2017 1:16 AM
    Tuesday, March 21, 2017 7:54 AM
    Moderator

All replies

  • Hi NineS_KO,

    You could refer to the document from Microsoft,

    Built-in local groups  that have a special group scope that have domain local permissions and, for simplicity, are often referred to as domain local groups. The difference between built-in local groups and other groups is that built-in local groups can't be created or deleted. You can only modify built-in local groups. References to domain local groups apply to built-in local groups unless otherwise noted.

    https://msdn.microsoft.com/en-us/library/bb726978.aspx

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Richard MuellerMVP Tuesday, March 21, 2017 9:46 AM
    • Marked as answer by NineS_KO Thursday, March 23, 2017 1:16 AM
    Tuesday, March 21, 2017 7:54 AM
    Moderator
  • Hi Mary,

    Thanks for your reply.

    According to the document, Built-in local groups refer to domain local groupand domain local group accept domain local group as member from the same domain. I did test the Group A(domain local) can addGroup B(domain local) as member, but Builtin\Adminstrators(Built-in local) can't even lookup Group A(domain local) or Group B(domain local) to add as member, it only able to lookup the Global group & Universal Groups.

    How to describe this situation as it act like domain local group but it can't accept domain local group as member?


    • Edited by NineS_KO Wednesday, March 22, 2017 12:47 AM
    Tuesday, March 21, 2017 2:44 PM
  • Hi NineS_KO,

    For now, I didn't find the more details about this from the Microsoft. But based on my understanding, since the it is a little bit different from domain local. The function is the same as domain local. Domain local apply to the specific domain. But based on my knowledge,  built-in local groups apply the specific server, the scope is more smaller. So we couldn't include it.

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 22, 2017 7:26 AM
    Moderator