0

have taken over a client from another consultant.

the current file server that is a member server is joined to the domain. BUT, if you look under control panel>administrative panel>local users or accounts

the domain_name\Administrator is not added to the server for local account. i never really gave much attention to this in the past and just came across it by accident while looking at the ntfs security settings on some folders. This means that the domain_name\administrator is not explcitly set in ntfs security but i am assuming since that person was the creator they actually have control based on that user.

Should the domain_name\Administrator not be added to it (this is part of a member server) explicitly?

thanks. gd

David Pashley
  • 23,497
  • 2
  • 46
  • 73
dasko
  • 1,244
  • 1
  • 22
  • 30

3 Answers3

1

TheCleaner's answer is a bit unclear sounding to me, so I'm going to give it a go.

By default, when you join a Windows machine to a domain the "DOMAIN\Domain Admins" group from the domain is joined to the joining computer's "Administrators" group. The "DOMAIN\Domain Users" is joined to the joining computer's "Users" group.

By default, the "DOMAIN\Administrator" account is a member of "DOMAIN\Domain Admins". Since the "DOMAIN\Domain Admins" group gets joined to the "Administrators" group on each computer you join to the domain, the effect is that the "DOMAIN\Administrtor" user becomes a member of the "Administrators" group on each computer joined to the domain.

(An aside: You can override this behaviour with a "Restricted Groups" policy if you want, but that's a different question and another can of worms.)

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
1

No, Domain accounts are not explicitly added by default. Best practice would be to never add individual accounts to a server. Always create a domain level group and add that to the local group on the server. As previously mentioned the domain admins group gets added by default not an account. Take a look at this webcast on best practices for managing groups

TechNet Webcast: Windows Server 2003 Administration Series (Part 4 of 12): Group Management (Level 200)

Jim B
  • 24,081
  • 4
  • 36
  • 60
0

DOMAIN\Administrator is a domain account, not a local account. As such it should be listed in the GROUPS section (implicitly or explicitly) in the Administrators group.

So it will either show up as "DOMAIN\Administrator" in that group list, or it will be included in "DOMAIN ADMINISTRATORS" in that group list.

This assumes that either of those is in that group.

You can set them in the group if not.

You will need to use Active Directory Users and Computers to check which groups the Administrator account for the domain is a part of in the domain itself (like Domain Administrators)

TheCleaner
  • 32,627
  • 26
  • 132
  • 191