Samba TNG FAQ updated

Paul J Collins pjdc at
Thu Apr 27 18:22:55 GMT 2000

>>>>> "Jamie" == Jamie ffolliott <jffolliott at> writes:

    >> The effect of adding a user to the DOMAIN\Administrators group
    >> is that they would be local admins of the domain controllers
    >> only.  It's not necessary for normal operation, and I don't
    >> think it's done much, unless you trust people with your DCs but
    >> not your SQL servers.

    Jamie> Hmm? Adding a user to DOMAIN\Administrators group means
    Jamie> that user will be a local admin of all the PDC and it's
    Jamie> BDC's, *as well* as a local admin on the workstations
    Jamie> joined to this domain (by default).  It's done very often
    Jamie> because it's Microsoft's default when the workstation joins
    Jamie> the domain.

No.  If you add a user to the DOMAIN\Administrators local group, they
will only have admin rights to the domain controllers.  A user must be
added to DOMAIN\Domain Admins to have admin rights to all the machines
in the domain.  The local groups in the domain have *nothing* to do
with the local groups on the workstations.

    Jamie> If you trust people with your DC's then you inherently
    Jamie> trust them with your SQL servers if you don't remove the
    Jamie> Domain\Administrators group from the
    Jamie> Workstation\Administrators group on the server SQLServ runs
    Jamie> on, but why would you bother since the domain admins are
    Jamie> already trusted to administer your domain?

This was a facetious example designed to illustrate the effects of
adding a user to DOMAIN\Administrators.  It wasn't meant as anything
else, and I acknowledged that it was an unlikely scenario.

Note also that you *can't* put DOMAIN\Administrators into another
group; it's a *local* group.  The group that goes into
WORKSTATION\Administrators is DOMAIN\Domain Admins.

    Jamie> Sorry.. you didn't make sense there ;)

The point I used the example to illustrate is correct.

I also made a statement that DOMAIN\Domain Admins (as well as Domain
Users and Domain Guests) are not added to the equivalent local groups
on the domain controllers (i.e. in the domain SAM).  In fact, they
are.  I checked today on a few NT domains.


Paul Collins <sneakums at> - - - - - [ A&P,a&f ]
 GPG: 0A49 49A9 2932 0EE5 89B2  9EE0 3B65 7154 8131 1BCD
 PGP: 88BA 2393 8E3C CECF E43A  44B4 0766 DD71 04E5 962C
"Linux: it's just this operating system, you know?"

More information about the samba-ntdom mailing list