|
Posted by Joe Richards [MVP] on April 28, 2006, 10:20 am
Please log in for more thread options
Domain Admins is a group with domain affinity, so that means that you can add
Domain Admins to groups on machines anywhere that trusts the domain
(workstations, servers, other domain's, etc). This is why you can manage
workstations, etc in the domain if you have domain admins rights, the domain
admin group was added the local admins groups on the machines.
Other than that, look at the ACLs on AD objects and that will tell you what an
Admin can do versus a Domain Admin or even an Enterprise Admin. The permissions
do vary, however, any one of those groups can easily attain the permissions of
the other on a DC.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
OM wrote:
> Hi,
>
> What is the main difference, in terms of user privilege, between the
> administrators group and domain admins group in active directory?
> Accounts in either groups allow me to manage AD. It seems that only the
> domain admins group can administer domain workstations and servers.
>
> Thanks
>
> OM
| 
XML Sitemap