enterprise admins in single domain question

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all,

in a single out of the box Windows 2003 AD Domain (no root or child
domains), I noticed that domain admins can freely add themlselves into
the enterprise admin groups.

is this normal ? Actually, in a forest made of a single domain, where's
the difference between enterprise and domain admins ?

Thanks
7 answers Last reply
More about enterprise admins single domain question
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thank you Andrey for your answer.
    I feel my question is still unanswered though. Is it normal that in a
    single domain, domain admins can add themselves to the enterprise
    admins group ?

    Regards
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Yes, as Andrei already answered!

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    <barabba72@hotmail.com> wrote in message
    news:1124654353.029478.90080@f14g2000cwb.googlegroups.com...
    > Thank you Andrey for your answer.
    > I feel my question is still unanswered though. Is it normal that in a
    > single domain, domain admins can add themselves to the enterprise
    > admins group ?
    >
    > Regards
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    this behavior is normal. Enterprise Admins (from the root domain) has Full
    Control in all domains of the forest (is member of Administrators group in
    all domains of the forest). Domain Admins has control only in local domain
    (in your case - root domain).


    --
    Andrei Ungureanu
    www.eventid.net
    Free Windows event logs reports
    http://www.altairtech.ca/evlog/

    <barabba72@hotmail.com> wrote in message
    news:1124641220.513832.261700@g49g2000cwa.googlegroups.com...
    > Hi all,
    >
    > in a single out of the box Windows 2003 AD Domain (no root or child
    > domains), I noticed that domain admins can freely add themlselves into
    > the enterprise admin groups.
    >
    > is this normal ? Actually, in a forest made of a single domain, where's
    > the difference between enterprise and domain admins ?
    >
    > Thanks
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Joe,

    I don't get this one. A domain admin of a child domain cannot add
    himself to an enterprise group hosted on a higher (root) domain. Right
    ?

    Thanks !
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Any admin on any domain if they know what they are doing can add themselves to
    Enterprise Admins for the forest. The people who are domain admins should also
    be the enterprise admins because they can effectively gain that access any time
    they want.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    barabba72@hotmail.com wrote:
    > Thank you Andrey for your answer.
    > I feel my question is still unanswered though. Is it normal that in a
    > single domain, domain admins can add themselves to the enterprise
    > admins group ?
    >
    > Regards
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Yes, a domain admin, or even a server operator of a child domain can add
    themselves to enterprise admins.

    I will not explain the details how, but I have done it on multiple occasions to
    help companies who ended up in bad ways.

    This is why only people who are domain admins should have rights on domain
    controllers and they should have the rights on all DCs in the forest. The domain
    IS NOT a security boundary. It is a replication and policy boundary.


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    barabba72@hotmail.com wrote:
    > Joe,
    >
    > I don't get this one. A domain admin of a child domain cannot add
    > himself to an enterprise group hosted on a higher (root) domain. Right
    > ?
    >
    > Thanks !
    >
  7. Quote:
    Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thank you Andrey for your answer.
    I feel my question is still unanswered though. Is it normal that in a
    single domain, domain admins can add themselves to the enterprise
    admins group ?

    Regards

    Yes definetely You can add to Enterprise Admins if you are a Domain Admin.
Ask a new question

Read More

Domain Enterprise Windows Server 2003 Active Directory Windows