Domain Admins vs. Administrators in Windows AD DC
Before a Domain Controller is promoted to that role, it is a simple workgroup (standalone) server and has a local Administrator account and a local Administrators group. When you create a domain, those accounts don't go away; they're incorporated into the domain as the domain Administrator account and the domain builtin\Administrators group.
The builtin\Administrators group has Administrative access to the Domain Controllers, but is not automatically granted administrative access to all computers within the domain, whereas Domain Admins are.
The domain admins group, and the AD builtin\Adminstrators group (not the local admin group on clients) effectively grant users in them the same rights, however there are some subtle differences:
- builtin\administrators is a domain local group, where as domain admins is a global group
- Domain admins are a memeber of builtin\administrators
- Domain admins are a member of the local admins group on each client pc
- The builtin\administrators group is there to provide backwards compatibility with pre-AD systems
This is a question with a simple and a complicated answer.
Simple answer is always use the domain admins group.
Complicated answer is that that domain admins gives admin to everything (DCs, servers and workstations) on the domain. builtin\Administrators initially only gives access to all DCs (it is a local group but gets replicated) but not servers or workstations. However admin access to a DC gives the ability to elevate themselves to domain admin. So from a security pov they are equivalent.
The main reason builtin\administrators exists is so that programs checking for admin access can check the same place on any machine.
DCs are the keys to your castle, you can never give admin to one and not another (effectively) or to the local server and not the whole domain so should not have programs/files that require local admin access only on them.
The bultin/administrators group is created by default when you install Windows. This group has complete and unrestricted access to the computer. By default the only user account that is a member of this group is Administrator.
The Domain Administrators group is only present in a Windows domain. This group has complete and unrestricted access to the entire domain, able to logon to any pc or server that is a member of the domain.
When a pc/server is added to a domain, the domain admins group automatically becomes a member of the builtin/administrators group, thus providing the domain administrators administrator-level access to the computer.
If you moved an account from the domain admins group to the builtin/adminstrators group, that account would be able to administer that local computer but nothing else, unless you added the account to other builtin/adminstrators groups.