Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > enterprise admins in single domain question

enterprise admins in single domain question

Forum Windows 2000/NT : Windows 2000/NT General Discussion - enterprise admins in single domain question

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   08-21-2005 at 03:20:20 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

Hi all,

in a single out of the box Windows 2003 AD Domain (no root or child
domains), I noticed that domain admins can freely add themlselves into
the enterprise admin groups.

is this normal ? Actually, in a forest made of a single domain, where's
the difference between enterprise and domain admins ?

Thanks

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   08-22-2005 at 04:43:06 AM
- 0 +

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

this behavior is normal. Enterprise Admins (from the root domain) has Full
Control in all domains of the forest (is member of Administrators group in
all domains of the forest). Domain Admins has control only in local domain
(in your case - root domain).


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

<barabba72@hotmail.com> wrote in message
news:1124641220.513832.261700@g49g2000cwa.googlegroups.com...
> Hi all,
>
> in a single out of the box Windows 2003 AD Domain (no root or child
> domains), I noticed that domain admins can freely add themlselves into
> the enterprise admin groups.
>
> is this normal ? Actually, in a forest made of a single domain, where's
> the difference between enterprise and domain admins ?
>
> Thanks
>

Reply to Anonymous
Anonymous   08-21-2005 at 06:59:13 PM
- 0 +

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

Thank you Andrey for your answer.
I feel my question is still unanswered though. Is it normal that in a
single domain, domain admins can add themselves to the enterprise
admins group ?

Regards

Reply to Anonymous
Anonymous   08-22-2005 at 12:07:25 AM
- 0 +

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

Yes, as Andrei already answered!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



<barabba72@hotmail.com> wrote in message
news:1124654353.029478.90080@f14g2000cwb.googlegroups.com...
> Thank you Andrey for your answer.
> I feel my question is still unanswered though. Is it normal that in a
> single domain, domain admins can add themselves to the enterprise
> admins group ?
>
> Regards
>

Reply to Anonymous
Anonymous   08-22-2005 at 11:49:20 PM
- 0 +

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

Any admin on any domain if they know what they are doing can add themselves to
Enterprise Admins for the forest. The people who are domain admins should also
be the enterprise admins because they can effectively gain that access any time
they want.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


barabba72@hotmail.com wrote:
> Thank you Andrey for your answer.
> I feel my question is still unanswered though. Is it normal that in a
> single domain, domain admins can add themselves to the enterprise
> admins group ?
>
> Regards
>

Reply to Anonymous
Anonymous   08-22-2005 at 09:20:07 PM
- 0 +

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

Joe,

I don't get this one. A domain admin of a child domain cannot add
himself to an enterprise group hosted on a higher (root) domain. Right
?

Thanks !

Reply to Anonymous
Anonymous   08-23-2005 at 05:40:09 AM
- 0 +

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

Yes, a domain admin, or even a server operator of a child domain can add
themselves to enterprise admins.

I will not explain the details how, but I have done it on multiple occasions to
help companies who ended up in bad ways.

This is why only people who are domain admins should have rights on domain
controllers and they should have the rights on all DCs in the forest. The domain
IS NOT a security boundary. It is a replication and policy boundary.


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


barabba72@hotmail.com wrote:
> Joe,
>
> I don't get this one. A domain admin of a child domain cannot add
> himself to an enterprise group hosted on a higher (root) domain. Right
> ?
>
> Thanks !
>

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > enterprise admins in single domain question
Go to:

There are 533 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.226 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?