question

LukeMooreTIA-7345 avatar image
0 Votes"
LukeMooreTIA-7345 asked VickyWang-MFST answered

What does adding computers to the Builtin Administrators AD Group achieve?

I am seeing computers listed under the builtin\administrators group for one of my customers and it isn't something I have ever come across before and google isn't giving me much to go off.. Can anyone confirm what adding a domain joined computer object to the builtin\administrators group will achieve, if anything?

windows-active-directorywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered

Can anyone confirm what adding a domain joined computer object to the builtin\administrators group will achieve, if anything?

nothing useful and can be quite harmful. I believe it is simply a misconfiguration. "BUILTIN\Administrators" MUST NOT contain any computer accounts or groups that contain computer accounts.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,

Thank you for posting in our forum.

"Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain."

The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.

Hope this information can help you

Best wishes

Vicky

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered Crypt32 commented

Hi,

Thank you for posting in our forum.

Microsoft does not support adding computers to the Builtin Administrators AD Group, this operation is not safe.

Hope this information can help you

Best wishes

Vicky

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I would like something to go back to the customer with explaining why it is not safe. Does it give the computer account administrative permissions and/or all users on the computer those permissions?

0 Votes 0 ·
Crypt32 avatar image Crypt32 LukeMooreTIA-7345 ·

the computer itself and anything that acts on behalf of the computer (running locally) can escalate them to domain admins. Plain and simple.

1 Vote 1 ·