Announcement

Collapse
No announcement yet.

Can one add Enterprise Admins to the Domain Admin group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can one add Enterprise Admins to the Domain Admin group

    How can members of the Enterprise Admins at the Forest level have domain-admin-access to all child tree domain objects? Instead of creating accounts at each child domain with domain admin rights, is it possible to create a set of enterprise admins at the forest level to have admin rights on all member servers and objects on every child domain?

  • #2
    Re: Can one add Enterprise Admins to the Domain Admin group

    It should be this way by default. Make sure the Ent Admins group belongs to the BUILTIN/Administrators group on all child domains. Unless it was removed for a reason..

    Comment


    • #3
      Re: Can one add Enterprise Admins to the Domain Admin group

      But Enterprise Admins can't log onto servers with administrative rights like domain admins... is that by design?
      Also say your software that is using the netbois name resolution and you need to have access to the child domain workstations, you need a single user access. Which means you need a cross domain user to make it work..

      Comment


      • #4
        Re: Can one add Enterprise Admins to the Domain Admin group

        Annie - you'll note that the Enterprise Admins group is a member of <domain>\BUILTIN\Administrators. Domain Admins gets its power from this group but is a Domain Global group which can therefore be added to a Server's "Local" Admins group.

        BUILTIN\Administrators CANNOT be added to a server's local Admins group, because it is a BUILTIN (i.e. special) group. So - while Enterprise Admins gets Domain Admin privileges, it cannot log into foreign domain servers.

        The answer is to create a universal admins group which is a member of a "Domain Local" group in each domain which is, in turn a member of "Domain Admins". Put the users you wish to be global admins, from any domain, into the UG group.

        I would shy away from adding anyone but a very small core of users to the Enterprise Admins group - simply because (a) there are very few tasks which require this level of access, and (b) the potential for damage is extreme.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment

        Working...
        X