0

I'm working to learn administrative account functions. My questions specifically is a difference between domain and local administrator accounts. When logging into a server or workstation remotely for the 1st time, do you need to login as the domain administrator first or can you login remotely as the local administrator account 1st? Also, what are some events in which one would want to use a local admin account vs a domain admin account? I've been reading up on the differences between the two and from what I can tell, it seems that you would want to use a local account for functions specific to a workstation and a domain account for functions specific to the domain. Any help would be appreciated.

Regards, Josh

EEAA
  • 109,363
  • 18
  • 175
  • 245
xpkiro
  • 31
  • 1
  • 1
  • 4

3 Answers3

3

Domain Administrators group is, by default, member of local Administrators group of all the member servers and computers and as such, from a local administrators point of view, rights assigned are the same.

The difference come in when working on Active Directory. Domain Administrators have elevated rights to administer and make changes to it.

It is highly recommended not to give Domain Administrators rights to anyone, except those directly responsible for AD administrative tasks.

If, for example, somebody requests Administrative right to all devices, never give them Domain Administrative rights. Rather add a new AD group to all device's local administrators groups via restricted groups or GPO Preferences.

Shaun Vermaak
  • 161
  • 3
0

"When logging into a server or workstation remotely for the 1st time, do you need to login as the domain administrator first or can you login remotely as the local administrator account 1st?" - Not critical, but do first local admin to initiate home directories locally on that remote machine, so in case you need login in case of domain loss, it will start much faster.

"Also, what are some events in which one would want to use a local admin account vs a domain admin account?" - In case of domain crash. The only way to restore DC from backup - it is to login as local admin.

"it seems that you would want to use a local account for functions specific to a workstation and a domain account for functions specific to the domain." - If your are a Domain admin, then try to do everything as Domain admin to avoid physical trips to workstations. There're some situations where not really smart programmers force users to use their apps with elevated privileges. In such case - do not give that workstation Domain admins rights but use instead local administrator.

Alex
  • 139
  • 2
  • As a follow up, if the domain admin credentials aren't cached on the workstation or server, am I correct in stating you won't be able to login as a domain admin? – xpkiro Jul 28 '15 at 16:26
  • You can't login as a Domain admin if there no connection to DC, regardless if it cached or not. – Alex Jul 28 '15 at 16:30
  • Ok that makes sense, but assuming that it is connected and you've never logged in as the domain admin b4, can you login as a domain administrator or do you need to login as the local 1st in order to allow for a domain admin login in the future? Essentially does the local admin login have to happen 1st in order to allow for the domain admin login? – xpkiro Jul 28 '15 at 16:34
  • If workstation joined domain and DC is up and running, then domain admin can access any of such workstations, regardless who logged in before – Alex Jul 28 '15 at 17:10
  • Ok thanks for clarifying Alex. I started a new job where I'm having to learn a lot about troubleshooting workstation and account issues. I'm trying to learn as much as I can. – xpkiro Jul 28 '15 at 18:07
  • No problem. First think that you need there, it is - make sure they have backup set on the server. Use standard Windows backup, it is simple and reliable way to recover network. Backup should be any dedicated had drive (better connected to SATA/SCSI for speed, o a USB 3 at least). Domain network is good until its working, but if something get wrong on a server, all network is out of business, especially if server used as a primary DNS, then even access to internet will be a problem. – Alex Jul 28 '15 at 20:37
  • If local admin on workstation(s) wasn't set(usual case - forgotten password for them) then even changing local DNS settings on them is a problem – Alex Jul 28 '15 at 20:37
0

A Domain Administrator is a domain account that has administrative access to all machines in the domain, clients as well as servers. That level of access should be strictly limited to authorized administrators.

A Local Administrator is a local user account on one machine and has administrative access there, and no access at all to any other machine in the domain because it is unknown outside the local machine. It is useful mainly in situations where there is no connectivity to a domain controller, for example to remove a machine from the domain and re-join it. (A not-so-infrequent troubleshooting measure.) Even its usefulness for software installations is limited because it may not be able to access a network share where the software to be installed resides.

In between the two is a regular domain user who has been made a member (directly or indirectly) of the local Administrators group on one or more machines. Such a user can access servers and domain functions with regular user rights, but has administrative access on the selected machines. This is the solution of choice for applications that require administrator rights, power users who are allowed to break their own machines, or junior administrators who may do client installations but shouldn't mess with the crown jewels (yet).

Tilman Schmidt
  • 4,101
  • 12
  • 27
  • `In between the two is a domain user which is member of the local Administrators group on one or more machines` - To be clear, this isn't the case by default. Domain users need to be explicitly added to the local Administrators group. – joeqwerty Jul 28 '15 at 21:07
  • Right you are. Thanks for the note. I have edited my answer hoping to clarify that point. – Tilman Schmidt Jul 29 '15 at 13:17