If I modify BUILTIN\Administrators in the AD Users and Computers tool ...

Matthieu Patou mat at matws.net
Sun Jul 7 13:10:10 MDT 2013

On 07/06/2013 07:41 AM, Richard Sharpe wrote:
> On Sat, Jul 6, 2013 at 1:33 AM, Stefan (metze) Metzmacher
> <metze at samba.org> wrote:
>> Hi Richard,
>>> If I modify BUILTIN\Administrators using the AD Users and Computers
>>> tool to add a local or domain user to that group, is it expected that
>>> this would apply to all DCs and Member Servers and Clients joined to
>>> the domain?
>>> I would say no, since these the BUILTIN groups are local to each
>>> machine. However, it is possible that there is something that rolls
>>> these changes out to all DCs in the domain, perhaps.
>> All DCs share the same BUILTIN domain, it's located
>> in the AD tree: CN=Builtin,${DOMAINDN}
> OK, so that I did not know.
> However, I think I am on pretty firm ground when I say that member
> servers and workstations each have their own BUILTIN domain. Is that
> correct?
I think so, to be sure in a Windows server / workstation create a share
only accessible by BUILTIN\administrators and add to it a simple domain
user. If the domain user can access the share it confirms what you think.


More information about the samba-technical mailing list