enterprise admins in single domain question

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you Andrey for your answer.
I feel my question is still unanswered though. Is it normal that in a
single domain, domain admins can add themselves to the enterprise
admins group ?

Regards

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes, as Andrei already answered!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



<barabba72@hotmail.com> wrote in message
news:1124654353.029478.90080@f14g2000cwb.googlegroups.com...
> Thank you Andrey for your answer.
> I feel my question is still unanswered though. Is it normal that in a
> single domain, domain admins can add themselves to the enterprise
> admins group ?
>
> Regards
>

Archived from groups: microsoft.public.win2000.active_directory (More info?)

this behavior is normal. Enterprise Admins (from the root domain) has Full
Control in all domains of the forest (is member of Administrators group in
all domains of the forest). Domain Admins has control only in local domain
(in your case - root domain).


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

<barabba72@hotmail.com> wrote in message
news:1124641220.513832.261700@g49g2000cwa.googlegroups.com...
> Hi all,
>
> in a single out of the box Windows 2003 AD Domain (no root or child
> domains), I noticed that domain admins can freely add themlselves into
> the enterprise admin groups.
>
> is this normal ? Actually, in a forest made of a single domain, where's
> the difference between enterprise and domain admins ?
>
> Thanks
>

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Joe,

I don't get this one. A domain admin of a child domain cannot add
himself to an enterprise group hosted on a higher (root) domain. Right
?

Thanks !

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Any admin on any domain if they know what they are doing can add themselves to
Enterprise Admins for the forest. The people who are domain admins should also
be the enterprise admins because they can effectively gain that access any time
they want.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


barabba72@hotmail.com wrote:
> Thank you Andrey for your answer.
> I feel my question is still unanswered though. Is it normal that in a
> single domain, domain admins can add themselves to the enterprise
> admins group ?
>
> Regards
>

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes, a domain admin, or even a server operator of a child domain can add
themselves to enterprise admins.

I will not explain the details how, but I have done it on multiple occasions to
help companies who ended up in bad ways.

This is why only people who are domain admins should have rights on domain
controllers and they should have the rights on all DCs in the forest. The domain
IS NOT a security boundary. It is a replication and policy boundary.


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


barabba72@hotmail.com wrote:
> Joe,
>
> I don't get this one. A domain admin of a child domain cannot add
> himself to an enterprise group hosted on a higher (root) domain. Right
> ?
>
> Thanks !
>

Yes definetely You can add to Enterprise Admins if you are a Domain Admin.