Appendix N: Default Active Directory Service Administrator Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Every installation of Active Directory has a number of default service administrative groups, some of which have all service management abilities. For example, members of the Enterprise Admins, Domain Admins, and Built-In Administrators groups can perform all administrative tasks that are involved in managing an Active Directory service deployment. For all practical purposes, these groups can be considered to have equal abilities.

By default, these accounts are granted access to directory and server resources when Active Directory is installed. The following table lists the default service administrator accounts and provides a brief description of each account, including the qualities that make each group a service administrative group. For Scope, a scope of Forest means that the group exists only on domain controllers in the forest root domain and that group members have privileges in all domains in the forest as well as in the configuration and schema directory partitions. A scope of Domain means that this group exists on domain controllers in every domain, but group members have privileges only in one domain.

For more information about these groups, see Appendix B: Default Active Directory Security Groups earlier in this document.

Default Service Administrator Accounts

Account Name (Mnemonic) Scope Description

Enterprise Admins (EA)

Forest

This group is automatically added to the Administrators group in every domain in the forest, providing complete access to the configuration of all domain controllers. This group can modify the membership of all administrative groups. Its own membership can be modified only by the default service administrator groups in the root domain. This account is considered a service administrator.

Schema Admins (SA)

Forest

This group has full administrative access to the schema. The membership of this group can be modified by any of the service administrator groups in the root domain. This account is considered a service administrator because its members can modify the schema, which governs the structure and content of the entire directory.

Administrators (BA)

Domain

This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. Its own membership can be modified by the default service administrator groups BA and DA in the domain, as well as the EA group. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator because its members have full access to the domain controllers in the domain.

Domain Admins (DA)

Domain

This group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Its own membership can be modified by the service administrator groups BA and DA in its domain, as well as the EA group. This is a service administrator account because its members have full access to a domain’s domain controllers.

Server Operators (SO)

Domain

By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups BA and DA in the domain, as well as the EA group. It cannot change any administrative group memberships. This is a service administrator account because its members have physical access to domain controllers and they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers.

Account Operators (AO)

Domain

By default, this built-in group has no members. It can create, manage, and delete users and groups in the Users and Computers containers and other organizational units (OUs), but it cannot manage service administrator accounts. In addition, members of this group cannot create computer accounts in the Domain Controllers OU, although they can modify and delete them. Members of this group can log on locally to domain controllers, but they cannot shut down or restart them. As a best practice, do not add members to this group, and do not use it for any delegated administration.

Backup Operators (BO)

Domain

By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the default service administrator groups BA and DA in the domain, as well as the EA group. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including system files) on the domain controllers. Because of this, they are considered service administrators.

Administrator

DS Restore Mode

This special account is created during the Active Directory installation process, and it is not the same as the Administrator account in the Active Directory database. This account is only used to start the domain controller in Active Directory Restore mode. When it is in restore mode, this account has full access to the directory database, as well as files (including system files) on the domain controller. Because of this, it is considered a service administrator.