A question I've recieved from a colleague this week which a could not give a straight anwser to: What's the difference between BUITL-IN\Administrators and Domain Admins?
Ok... after some intense googling:
If you add a user to the Built-In Administrators group on a domain controller, that user becomes
an administrator on all domain controllers in your domain, and by extension a Domain Admininstrator.
The difference between making a user a member of Administrators on a Domain Controller vs making them member of the Domain Admins Security Group is an
implementation detail.
Let's take an example:
Domain Admins are members of the local Administrators group on each domain-joined workstation and member server, where BUILTIN\Administrators are not and BUILTIN\Administrators is a Domain Local group whereas
Domain Admins is a global group. So making a user a Domain Admin will automatically grant the user certain rights to domain-joined
workstations and servers where BUILTIN\Administrators does not...but at the end of the day a member of BUILTIN\Administrators on a DC still
has the effective rights of a Domain Admin, and so a determined user could figure out how to grant themselves
whatever rights they don't have by default on workstations/member servers. This is a security issue not to take for granted!
From a security perspective, BUILTIN\Administrators membership should be treated as the security equivalent of
Domain Admins, even though there are certain implementation details that may differ.
As writen before:
BUILTIN\Administrators on a Domain Controller still has the effective rights of a Domain Admin, and so a determined user could figure out how to grant themselves whatever rights they don't have by default on workstations/member servers.
So what's the point of Microsoft using BUILTIN\Administrators in Domain Controllers instead of just using the Domain Admins?
Backwards compatibility with pre-Active Directory NOS's, same as the rest of the BUILTIN objects. It's basicaly a legacy feature which Microsoft has not yet decided to remove...
Abonneren op:
Reacties posten (Atom)
Posts
Geen opmerkingen:
Een reactie posten