locked
Domain administrators vs Domain admins group RRS feed

  • Question

  • Hi,

    Please help clarifying the below queries. We are in process of cleaning up AD built-in groups. I would like to understand more.

    1. What is the permissions difference between Active  directory "administrators" group and "domain admins" group? Does "administrators" has more permissions than "domain admins" group?

    2. Can we remove Enterprise admins and Domain admins group from "administrators" group in AD? Will there be reduced permissions when we remove these groups from "administrators" ?

    Thanks,

    Umesh.S.K


    • Edited by Umesh S K Wednesday, February 6, 2019 4:29 AM
    Wednesday, February 6, 2019 4:28 AM

Answers

  • Hi,

    1. What is the permissions difference between Active  directory "administrators" group and "domain admins" group? Does "administrators" has more permissions than "domain admins" group?

    Administrators group have full permission on all domain controllers in the domain.

    By default, domain Admins group is members of local administrators group of each members machine in the domain. It's also members of administrators group . So Domain Admins group has more permissions then Administrators group.

    2. Can we remove Enterprise admins and Domain admins group from "administrators" group in AD? Will there be reduced permissions when we remove these groups from "administrators" ?

    It's not recommended. there is no reason to remove domain Admin and enterprise Admins from this group. 


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Proposed as answer by Obujuwami Wednesday, February 6, 2019 10:15 PM
    • Marked as answer by Umesh S K Sunday, February 10, 2019 4:49 AM
    Wednesday, February 6, 2019 9:43 PM

All replies

  • Hi,

    Thanks for posting.

    Before a Domain Controller is promoted to that role, it is a simple workgroup (standalone) server and has a local Administrator account and a local Administrators group. When you create a domain, those accounts don't go away; they're incorporated into the domain as the domain Administrator account and the domain builtin\Administrators group.

    The builtin\Administrators group has Administrative access to the Domain Controllers, but is not automatically granted administrative access to all computers within the domain, whereas Domain Admins are.

    The domain admins group, and the AD builtin\Adminstrators group (not the local admin group on clients) effectively grant users in them the same rights, however there are some subtle differences:

    1.builtin\administrators is a domain local group, where as domain admins is a global group

    2.Domain admins are a memeber of builtin\administrators

    3.Domain admins are a member of the local admins group on each client pc

    4.The builtin\administrators group is there to provide backwards compatibility with pre-AD systems

    More information please refer to the following link:

    https://serverfault.com/questions/174200/domain-admins-vs-administrators-in-windows-ad-dc

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope above information could help.

    Best Regards ,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 6, 2019 7:07 AM
  • Hi Kallen,

    Thanks for the reply. However, I need to know what happens if I remove "domain admins" group from domain administrators group? Does "domain admin" group retains its permission and will it retain the same permissions as "administrators" once it is removed from domain "administrators" group.

    Thanks,

    Umesh.S.K

    Wednesday, February 6, 2019 9:22 AM
  • Hi Umesh,

    Ultimately the outcome will depend on how permissions and privileges are granted.

    Domain Admins are by default members of local Administrators group on every domain member server. This grants them privileges to manage domain member computers. If you remove that group from local Administrators, they will lose these privileges. The same applies to Administrator related permissions on Domain Controllers.

    There are, however, privileges which are granted directly to Domain Admins (e.g. the permission to promote/demote a domain controller).

    In short, you should NOT remove Domain Admins from the domain local Administrators group. This will have numerous negative consequences. You might consider removing Domain Admins from the local Administrators group on domain member computers - as long as you have alternative means of centrally managing domain member computers

    hth
    Marcin

    Wednesday, February 6, 2019 11:33 AM
  • Hi,

    1. What is the permissions difference between Active  directory "administrators" group and "domain admins" group? Does "administrators" has more permissions than "domain admins" group?

    Administrators group have full permission on all domain controllers in the domain.

    By default, domain Admins group is members of local administrators group of each members machine in the domain. It's also members of administrators group . So Domain Admins group has more permissions then Administrators group.

    2. Can we remove Enterprise admins and Domain admins group from "administrators" group in AD? Will there be reduced permissions when we remove these groups from "administrators" ?

    It's not recommended. there is no reason to remove domain Admin and enterprise Admins from this group. 


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Proposed as answer by Obujuwami Wednesday, February 6, 2019 10:15 PM
    • Marked as answer by Umesh S K Sunday, February 10, 2019 4:49 AM
    Wednesday, February 6, 2019 9:43 PM