Sign in with
Sign up | Sign in
Your question

enterprise admins in single domain question

Last response: in Windows 2000/NT
Share
Anonymous
August 21, 2005 1:20:20 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all,

in a single out of the box Windows 2003 AD Domain (no root or child
domains), I noticed that domain admins can freely add themlselves into
the enterprise admin groups.

is this normal ? Actually, in a forest made of a single domain, where's
the difference between enterprise and domain admins ?

Thanks
Anonymous
August 21, 2005 4:59:13 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you Andrey for your answer.
I feel my question is still unanswered though. Is it normal that in a
single domain, domain admins can add themselves to the enterprise
admins group ?

Regards
Anonymous
August 21, 2005 10:07:25 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes, as Andrei already answered!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



<barabba72@hotmail.com> wrote in message
news:1124654353.029478.90080@f14g2000cwb.googlegroups.com...
> Thank you Andrey for your answer.
> I feel my question is still unanswered though. Is it normal that in a
> single domain, domain admins can add themselves to the enterprise
> admins group ?
>
> Regards
>
Related resources
Anonymous
August 22, 2005 2:43:06 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

this behavior is normal. Enterprise Admins (from the root domain) has Full
Control in all domains of the forest (is member of Administrators group in
all domains of the forest). Domain Admins has control only in local domain
(in your case - root domain).


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

<barabba72@hotmail.com> wrote in message
news:1124641220.513832.261700@g49g2000cwa.googlegroups.com...
> Hi all,
>
> in a single out of the box Windows 2003 AD Domain (no root or child
> domains), I noticed that domain admins can freely add themlselves into
> the enterprise admin groups.
>
> is this normal ? Actually, in a forest made of a single domain, where's
> the difference between enterprise and domain admins ?
>
> Thanks
>
Anonymous
August 22, 2005 7:20:07 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Joe,

I don't get this one. A domain admin of a child domain cannot add
himself to an enterprise group hosted on a higher (root) domain. Right
?

Thanks !
Anonymous
August 22, 2005 9:49:20 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Any admin on any domain if they know what they are doing can add themselves to
Enterprise Admins for the forest. The people who are domain admins should also
be the enterprise admins because they can effectively gain that access any time
they want.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


barabba72@hotmail.com wrote:
> Thank you Andrey for your answer.
> I feel my question is still unanswered though. Is it normal that in a
> single domain, domain admins can add themselves to the enterprise
> admins group ?
>
> Regards
>
Anonymous
August 23, 2005 3:40:09 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes, a domain admin, or even a server operator of a child domain can add
themselves to enterprise admins.

I will not explain the details how, but I have done it on multiple occasions to
help companies who ended up in bad ways.

This is why only people who are domain admins should have rights on domain
controllers and they should have the rights on all DCs in the forest. The domain
IS NOT a security boundary. It is a replication and policy boundary.


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


barabba72@hotmail.com wrote:
> Joe,
>
> I don't get this one. A domain admin of a child domain cannot add
> himself to an enterprise group hosted on a higher (root) domain. Right
> ?
>
> Thanks !
>
September 29, 2011 11:07:44 AM

Quote:
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you Andrey for your answer.
I feel my question is still unanswered though. Is it normal that in a
single domain, domain admins can add themselves to the enterprise
admins group ?

Regards

Yes definetely You can add to Enterprise Admins if you are a Domain Admin.
!