Executive summary questions: With Windows 7, what are the functional differences between the built in Administrator account and a domain account put into the local admin group? Is there a way to make a domain account put into the local admin group equivalent in powers to the built in Administrator (as it was in XP)? [*without* disabling UAC, as I saw one suggestion in another thread] Is there any official documentation/MS Whitepaper that delves into this topic? Slightly longer rambling: I've been frustrated by situations where we need to use the local administrator account to accomplish some task or install certain software. The password to builtin\administrator is NOT something I want to be passing around to the entire IT department. If one does an Internet search on "build in administrator Windows 7" (or something along that line) there is a lot of off-the-cuff discussion about how the built in administrator is different in that it is not a split token (as with accounts put into the local administrators group), but I haven't seen any authoritative references, discussion or documentation about what exactly "builtin\Administrator" can do but "domain\AdminInLocalAdminsGroup" cannot, or how the latter account can be given equivalent powers to the former. If anyone can answer the above questions and/or point me to a really good resource on this topic (I've searched the MS web site, MS Premier and the net in general) they will have my eternal gratitude.

Hi, We can make a domain account put into the local admin group, you can install/uninstall or update without problems. There are three kinds of accounts, built in Administrator, domain administrator and domain account in local admin group. Domain admins are automatically members of the local Administrator group but not vice versa. This means that a local admin has no access to servers or other PCs unless the account names & passwords are synchronized. If the local network disconnect and the cache is refreshed, sometimes you will find that the built in Administrator can logon but the domain\Admin in local admin group cannot.

Thanks for your reply. I'm aware of the differences between local and domain accounts, the issue is that in Windows 7 a domain account that is a member of the local administrator group (whether automatically by virtue of being a Domain Admin or not) does not have the same powers on the machine as the built in Administrator. I want to know exactly what those practical differences are (e.g. registry keys that can't be modified, etc) an what can be done to make Windows 7 non-built-in-but-local-administrators behave just like XP/Win2K/NT.

Hi, I think that maybe UAC is the reason why you ask this question. If you disable UAC in Winodws 7, the non-built-in but loacal administrator behaves no difference between Windows 7 and Windows XP. There is only one built-in Administrator but you may create lots of accounts in local aministrators group. As we all know, the SID of built-in and other administrators are different. This makes for bad programming logic by third party. So UAC has been designed since Windows Vista. User Account Control Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc709691(v=ws.10).aspx Hope that helps.

I'm sorry but I don't ask the question because of UAC. I ask the question because we've run into engineering matters where only the local admin account count accomplish a task. I'll just get the specifics and open a ticket with technical support.