When a member server is joined to one domain in a forest, should members of other-dom\domain admins be Administrators

Matthieu Patou mat at samba.org
Tue May 1 16:27:36 MDT 2012

On 05/01/2012 02:25 PM, Richard Sharpe wrote:
> Hi,
> When a member server, say SRV1 joins DOM1.someforest.local, should a
> member of OTHERDOM.DOM1.someforest.local also have membership of
> BUILTIN\Administrators on the  member server?
That's not very clear as a question BUILTIN\administrators is a well
known SID a user member of this group will have always the same SID in
his group list.
This is even true if you start a new forest you'll see that that the SID
is the same.
So if SRV1 grants some rights to BUILTIN\administrators, then a user
from OTHERDOM.DOM1.someforest.local with group membership to
BUILTIN\Administrators will be granted those rights (if the two domains
trust each others which is the default in a given forest but it can be

The thing is that being a member of DOM1\domain admins didn't grant
rights in OTHERDOM unless this group is explicitly granted. What is
usually done, is that users that needs to do cross domain admin are in
the Enterprise admins group.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list