If I modify BUILTIN\Administrators in the AD Users and Computers tool ...

[Richard Sharpe]

On Sat, Jul 6, 2013 at 8:34 AM, steve <steve at steve-ss.com> wrote:
> On Sat, 2013-07-06 at 07:41 -0700, Richard Sharpe wrote:
>> On Sat, Jul 6, 2013 at 1:33 AM, Stefan (metze) Metzmacher
>> <metze at samba.org> wrote:
>> > Hi Richard,
>> >
>> >> If I modify BUILTIN\Administrators using the AD Users and Computers
>> >> tool to add a local or domain user to that group, is it expected that
>> >> this would apply to all DCs and Member Servers and Clients joined to
>> >> the domain?
>> >>
>> >> I would say no, since these the BUILTIN groups are local to each
>> >> machine. However, it is possible that there is something that rolls
>> >> these changes out to all DCs in the domain, perhaps.
>> >
>> > All DCs share the same BUILTIN domain, it's located
>> > in the AD tree: CN=Builtin,${DOMAINDN}
>>
>> OK, so that I did not know.
>>
>> However, I think I am on pretty firm ground when I say that member
>> servers and workstations each have their own BUILTIN domain. Is that
>> correct?
>>
>>
> Hi
> I'm hoping that the answer to that is 'no'. I'm really hoping that what
> you are calling BUILTIN domain for workstations is in fact the local
> administrator account. It would make a lot of sense for us if the
> BUILTIN you were referring to was the admin that has to login to change
> from workgroup to domain. Here's hoping. . .

No. The BUILTIN domain exists on each Windows server and contains such
things as BUILTIN\Administators, BUILTIN\Users, etc. These are groups
for the most part (perhaps exclusively) and have SIDs starting with
S-1-5-32.

When you join a domain, DOM\Domain Admins is added to BUILTIN\Administrators.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)