If I modify BUILTIN\Administrators in the AD Users and Computers tool ...

Richard Sharpe realrichardsharpe at gmail.com
Sat Jul 6 10:28:28 MDT 2013

On Sat, Jul 6, 2013 at 8:34 AM, steve <steve at steve-ss.com> wrote:
> On Sat, 2013-07-06 at 07:41 -0700, Richard Sharpe wrote:
>> On Sat, Jul 6, 2013 at 1:33 AM, Stefan (metze) Metzmacher
>> <metze at samba.org> wrote:
>> > Hi Richard,
>> >
>> >> If I modify BUILTIN\Administrators using the AD Users and Computers
>> >> tool to add a local or domain user to that group, is it expected that
>> >> this would apply to all DCs and Member Servers and Clients joined to
>> >> the domain?
>> >>
>> >> I would say no, since these the BUILTIN groups are local to each
>> >> machine. However, it is possible that there is something that rolls
>> >> these changes out to all DCs in the domain, perhaps.
>> >
>> > All DCs share the same BUILTIN domain, it's located
>> > in the AD tree: CN=Builtin,${DOMAINDN}
>> OK, so that I did not know.
>> However, I think I am on pretty firm ground when I say that member
>> servers and workstations each have their own BUILTIN domain. Is that
>> correct?
> Hi
> I'm hoping that the answer to that is 'no'. I'm really hoping that what
> you are calling BUILTIN domain for workstations is in fact the local
> administrator account. It would make a lot of sense for us if the
> BUILTIN you were referring to was the admin that has to login to change
> from workgroup to domain. Here's hoping. . .

No. The BUILTIN domain exists on each Windows server and contains such
things as BUILTIN\Administators, BUILTIN\Users, etc. These are groups
for the most part (perhaps exclusively) and have SIDs starting with

When you join a domain, DOM\Domain Admins is added to BUILTIN\Administrators.

Richard Sharpe

More information about the samba-technical mailing list