If I modify BUILTIN\Administrators in the AD Users and Computers tool ...

[steve]

On Sat, 2013-07-06 at 07:41 -0700, Richard Sharpe wrote:
> On Sat, Jul 6, 2013 at 1:33 AM, Stefan (metze) Metzmacher
> <metze at samba.org> wrote:
> > Hi Richard,
> >
> >> If I modify BUILTIN\Administrators using the AD Users and Computers
> >> tool to add a local or domain user to that group, is it expected that
> >> this would apply to all DCs and Member Servers and Clients joined to
> >> the domain?
> >>
> >> I would say no, since these the BUILTIN groups are local to each
> >> machine. However, it is possible that there is something that rolls
> >> these changes out to all DCs in the domain, perhaps.
> >
> > All DCs share the same BUILTIN domain, it's located
> > in the AD tree: CN=Builtin,${DOMAINDN}
> 
> OK, so that I did not know.
> 
> However, I think I am on pretty firm ground when I say that member
> servers and workstations each have their own BUILTIN domain. Is that
> correct?
> 
> 
Hi
I'm hoping that the answer to that is 'no'. I'm really hoping that what
you are calling BUILTIN domain for workstations is in fact the local
administrator account. It would make a lot of sense for us if the
BUILTIN you were referring to was the admin that has to login to change
from workgroup to domain. Here's hoping. . .