What is the BUILTIN\Administrators group?

The BUILTIN\Administrators group is a local security group that exists on every Windows system. Members have unrestricted access to the local machine: Full system access - Can access all files and folders Install software - Can install and configure applications Manage users - Can create and modify local accounts Change security settings - Can modify system security By default, the Domain Admins group is added to BUILTIN\Administrators on domain-joined systems.

Should BUILTIN\Administrators appear in my file ACLs?

It depends on the context: System folders - Yes, expected on Windows, Program Files, etc. User data shares - Usually not needed explicitly Application folders - Depends on application requirements Key insight: Even without explicit ACL entries, local administrators can typically take ownership and grant themselves access. Explicit BUILTIN\Administrators permissions are often unnecessary and may indicate: Legacy configurations from older Windows versions Troubleshooting attempts that weren't cleaned up Application installer defaults

How do local administrators differ from domain administrators?

These groups have different scopes and purposes: Aspect Local Admins Domain Admins Scope Single machine Entire domain Stored in Local SAM Active Directory AD access None Full control Domain Admins are automatically members of BUILTIN\Administrators on domain-joined machines.

What is LAPS and how does it affect local admin auditing?

LAPS (Local Administrator Password Solution) is Microsoft's solution for managing local administrator passwords: Unique passwords - Each computer has a different local admin password Automatic rotation - Passwords change regularly Centralized storage - Passwords stored in AD (securely) Auditable access - Password retrieval is logged LAPS improves security but doesn't change where local admins have file permissions. You still need to audit those permissions to ensure least privilege.

Should I remove all BUILTIN\Administrators permissions from my file servers?

No - that would break administrative access and system functionality. Instead: Keep on system volumes - C:\Windows, C:\Program Files need admin access Evaluate on data volumes - D:\Data may not need explicit admin permissions Remove if unnecessary - Explicit entries on user shares are often not needed Document exceptions - Know why admin access exists on each location Remember: Administrators can always take ownership. The question is whether they should have standing access or need to explicitly claim it.

Identifying Local Administrator Access in NTFS Permissions

The BUILTIN\Administrators group provides full administrative access to a Windows system. Understanding where this group has file system permissions is crucial for security hardening, compliance, and implementing the principle of least privilege.

This guide explains when local administrator permissions are appropriate, how to audit them across your file servers, and best practices for managing administrative access to sensitive data.

Understanding Local Administrator Access

What is BUILTIN\Administrators?

Every Windows system has a local BUILTIN\Administrators group. This group:

Has unrestricted local access - Full control over the system
Contains the local Administrator account - The built-in admin user
Contains Domain Admins - On domain-joined systems
May contain other accounts - IT staff, service accounts, etc.

Default Membership

On domain-joined systems, BUILTIN\Administrators typically includes:

Administrator - The local Administrator account
DOMAIN\Domain Admins - All domain administrators
Additional accounts added by IT or applications

Security note: When you grant BUILTIN\Administrators access to a folder, you're implicitly granting access to Domain Admins and anyone else in that group. This is why auditing local admin permissions matters.

The Principle of Least Standing Privilege

Modern security best practices advocate for least standing privilege:

Just-in-time access - Administrators request access when needed
Time-limited permissions - Access expires after a period
Take ownership model - Admins claim access explicitly rather than having standing access

Finding explicit BUILTIN\Administrators permissions in file ACLs often indicates standing privileges that could be reduced.

When Local Admin Access is Appropriate

System-Critical Locations

BUILTIN\Administrators should have access to:

Windows directory - C:\Windows and subdirectories
Program Files - C:\Program Files, C:\Program Files (x86)
System root - C:\ root directory
Application installation paths - Where system software is installed

Locations to Evaluate

Review whether local admin access is truly needed on:

Data volumes - D:\Data, E:\Shares
User home directories - Admins don't typically need standing access
Department shares - Access should be through security groups
Application data folders - Often overconfigured during installation

Auditing Local Admin File Permissions

Permissions Reporter can identify all locations where local administrator accounts have been granted explicit file system permissions.

Step 1: Set Up Your Audit Scan

Launch Permissions Reporter
Create a new project
Add your data volume paths (focus on non-system locations)
Run the permissions scan

Step 2: Apply the Local Admin Filter

After the scan completes, click the Filter dropdown in the main toolbar
Select Edit Post-Scan Filter to open the filter editor
In the filter editor toolbar, click the Quick button
Select "Permissions allowing local admin access" from the quick filter menu
Click Apply to filter the results

What the filter finds: This preset identifies permissions where BUILTIN\Administrators, the local Administrator account, or other local administrative principals have been granted access.

Step 3: Analyze and Categorize Results

Categorize findings into:

Expected - System folders, application requirements
Evaluate - Data folders that may not need admin access
Remove - Unnecessary admin permissions on user data

Step 4: Export for Remediation

Export the findings for review and action planning:

Click Export
Choose Excel or CSV format
Document decisions for each finding
Track remediation progress

Remediation Approaches

Remove Unnecessary Explicit Permissions

For locations where explicit local admin access isn't needed:

# PowerShell: Remove BUILTIN\Administrators explicit permissions
$path = "D:\SharedData\Marketing"
$acl = Get-Acl $path

# Find explicit (non-inherited) Administrators rules
$adminRules = $acl.Access | Where-Object {
    $_.IdentityReference.Value -eq "BUILTIN\Administrators" -and
    -not $_.IsInherited
}

foreach ($rule in $adminRules) {
    $acl.RemoveAccessRule($rule)
    Write-Host "Removed explicit admin permission from: $path"
}

Set-Acl $path $acl

Best practice: Document why you're removing permissions and verify that no applications depend on explicit admin access before making changes.

Rely on Backup Operators for Backup Access

If admin permissions exist for backup purposes, use the proper group:

Backup Operators - Has SeBackupPrivilege to read all files
Doesn't need explicit ACL entries - Privilege bypasses ACL checks
More auditable - Specific group for specific purpose

Create Purpose-Specific Admin Groups

Instead of using BUILTIN\Administrators everywhere:

FileServer-Admins - For file server management
SharePoint-Admins - For SharePoint content
App-Name-Admins - For specific application administration

This provides more granular control and better audit trails.

Special Considerations

File Server Resource Manager (FSRM)

If you use FSRM for quotas or file screening, ensure proper admin access for management.

DFS Namespaces

DFS configuration may require specific administrative access. Document these requirements.

Clustered File Servers

Cluster service accounts may need administrator access. Use cluster-specific admin groups rather than BUILTIN\Administrators where possible.

Inherited vs. Explicit Permissions

Pay special attention to explicit admin permissions:

Inherited - May be by design from parent folder structure
Explicit - Was intentionally set on this specific folder

Explicit permissions are more likely to be unnecessary additions that should be reviewed.

Compliance Mapping

Local admin access auditing supports multiple compliance requirements:

CIS Controls - Control 4: Controlled Use of Administrative Privileges
NIST 800-53 - AC-6: Least Privilege
PCI-DSS - Requirement 7: Restrict access by business need
ISO 27001 - A.9.2: User access management

Local Administrator Access Audit