Types of Administrators in Active Directory (AD)

In Active Directory (AD), different types of administrators have varying levels of control over resources. Here are the key ones:

1. Enterprise Admins (Enterprise Admins group)

• Highest privilege level in the entire Active Directory forest (multiple domains).
• Can manage domains, create/delete domains, and modify AD configuration across the forest.
• Only available in the forest root domain.

2. Domain Admins (Domain Admins group)

• Has full control over a specific domain.
• Can create users, manage computers, modify Group Policy, and control all domain resources.
• A member of the Administrators group on every machine in the domain.

3. Administrators (Administrators group on individual machines)

• Has full control over a local computer but not the entire domain.
• On a domain controller, members of this group have full control over the domain.
• Domain Admins are automatically part of this group on domain controllers.

4. Schema Admins (Schema Admins group)

• Can modify the AD schema, meaning they can define new object types, attributes, and classes.
• Changes are permanent and affect the entire AD forest.