I am experimenting with a home domain network based on Windows Server 2008. I initially assumed that since I am a domain administrator, I should also have full access rights to workstations on the domain. Then I read about 'local administrator' rights on workstations, and now it does not seem as clear cut.
Can somebody explain the relationship between a domain administrator and local administrator?
If I am a domain administrator, how can I obtain local administrator rights on all the domain connected systems? Can I make some super-administrator account? I need to be able to access them remotely if it makes any difference.
Thanks!
Best Answer
When you join a workstation or server to a domain, the Domain Admins group is added to the local Administrators group and the Domain Users group is added to the local Users group. The only instances where this would not be the case would be if you were to use the Restricted Groups function in a GPO to alter the group membership of these groups or if you manually alter the membership of these groups.
The scope of user rights granted to each group is as their names imply: Domain Admins have administrator rights in the domain, including on all workstations and servers in the domain (domain scope). Local Administrators have administrator rights on the workstation or server where they exist but have no rights in the domain or on other workstations or servers (local scope).