6.1.3.8 Default Administrators Group

The "default administrators group" (DAG), which is used for OWNER/GROUP defaulting and also in OWNER write access checks, is computed based on two inputs: the contents of the requester's token and the location of the object whose SD is being written. The following rules are applied (in order):

  1. When the object belongs to a domain NC:

    1. If the user is a member of Domain Admins for this domain, then Domain Admins is designated as the DAG.

    2. If the user is a member of Enterprise Admins for the forest, then Enterprise Admins is designated as the DAG.

    3. Otherwise, the DAG is undefined.

  2. When the object belongs to the config NC:

    1. If the user is a member of Enterprise Admins, then Enterprise Admins is designated as the DAG.

    2. If the user is a member of Domain Admins (for the domain that the current DC belongs to), then this Domain Admins group is designated as the DAG.

    3. Otherwise, the DAG is undefined.

  3. When the object belongs to the schema NC:

    1. If the user is a member of Schema Admins, then Schema Admins is designated as the DAG.

    2. If the user is a member of Enterprise Admins, then Enterprise Admins is designated as the DAG.

    3. If the user is a member of Domain Admins (for the domain that the current DC belongs to), then this Domain Admins group is designated as the DAG.

    4. Otherwise, the DAG is undefined.

  4. When the object belongs to an application NC:

    1. If the user is a member of Domain Admins for the domain that is designated as sdReferenceDomain for this application NC, then this Domain Admins group is designated as the DAG.

    2. If the user is a member of Enterprise Admins, then Enterprise Admins is designated as the DAG.

    3. Otherwise, the DAG is undefined.