On Sat, Aug 19, 2023 at 2:15 AM ASSI wrote:

Windows really doesn't have a defined notion of what is or is not an
> "administrator".  Each particular definition will be insufficient or
> invalid in certain contexts.
>

There is a definition of administrator in Windows: Your account is a
member, either directly or indirectly, of the Administrators group (SID
1-5-32-544).

With the introduction of User Account Control (UAC) in Windows Vista, if
you log on as a member of this group, processes are normally started with
the Administrators group disabled (i.e, the process is not running as a
member of Administrators). The "run as administrator" action starts a
process with the group enabled. This is commonly referred to as
"elevation." [Side note: As I understand it, one of the reasons UAC was
introduced was made was to break (some?) software developers' habits of
assuming their programs run as administrator, and to choose better data
storage paths, registry paths, etc. See
https://techcommunity.microsoft.com/t5/windows-blog-archive/faq-why-can-8217-t-i-bypass-the-uac-prompt/ba-p/701510
for a nice summary. Also helpful is the current docs on SIDs:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
]

On a domain, the Domain Admins group (which has a relative identifier, or
RID, of 512) is by default a member of the Administrators group. The
Administrators group is still there (same SID, S-1-5-32-544), and is called
a "Domain Local Security Group" (i.e., it's a local group that's shared by
all domain controllers.)

Hope this helps clarify.

Bill