

A lot of the things they do have no need of Administrator privileges, although many things certainly do.Īn organization of any sort has the obligation to protect itself, to the best of its abilities. Also, there is nothing that anyone does in their day-to-day activity that requires such level of access all the time, and I do mean “anyone.” This even applies to people in a position like the Techs who work at TRINUS, whose job it is to help customers and trouble-shoot problems. There is no such thing as an Administrator Level of account that should not be monitored and restricted. You can find numerous YouTube videos that walk you through and explain the process in just a few minutes. While it requires a high level of skill and understanding to pull-off, once you have that level of skill, it is not particularly complicated. When I say “easily”, I am not exaggerating. The final proof I can offer that a Local Administrator trumps a Domain Administrator is that you can easily leverage Local Admin privileges, in order to obtain Domain Administrator access. They can decode any part of the machine they want and even remove sections of it from the control of the domain. A Local Administrator is already outside the domain and has the full power to do anything desired on the location machine, which IS PART of the domain. You see, the limitation is that the Domain Administrator cannot do anything outside of the domain. On the surface it would seem like the Domain Administrator had more power, which is not really the case. Now consider a Local Administrator: A Local Admin has the permission to do anything but is restricted to one machine. They have permission to go anywhere and do anything, with the limitation being that they must remain within that specific outfit.

So, consider a Domain Administrator: A Domain Administrator is basically a user authorized to make changes to global policies that impact all the computers and users connected to that Active Directory organization. The easiest way to explain the difference between a Local Admin and a Domain Admin is to summarize the purpose of both types of accounts.


This is a tricky topic to try and keep simple, but I will certainly do my best. My response was that you need to tightly control them both, but when you get right down to it, being local is more powerful than being a domain one. The reason why I brought this up is because just the other day I was asked about the difference between a user that is a Domain Administrator and one who is simply a Local Administrator. They deal with their users by making use of an Active Directory Server. In most outfits, this is done through Windows. User Authentication is a big deal in any organization.
