Solved

Enterprise admin in Parent / Child domain.

Posted on 2009-04-14
15
1,203 Views
Last Modified: 2012-05-06
1-I would like to know what an Enterprise Admin in the parent domain is able to do in the child domain, if he doesn't have an account in the child domain. I believe he can create a GPO at the site level that will flow to the child domain, other than that I don't know what he can do for the child domain.


2-Is the Domain Admin for the child domain able to make himself an enterprise admin?

Thanks
0
Comment
Question by:jskfan
  • 6
  • 6
  • 3
15 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140535

An Enterprise Admin has permission to do ANYTHING across the ENTERPRISE. An Enterprise Admin is able to access and make any changes they wish across the root domain and all child domains in the forest.

A Domain Admin in the child domain only has permissions over the child domain; they do not have permissions over the root domain, and therefore cannot make changes to groups there or promote themselves as an Enterprise Admin. However, a Domain Admin in the root domain has the ability to promote themselves as an Enterprise Admin; access to the Root Domain should therefore be strictly controlled.

-Matt
0
 

Author Comment

by:jskfan
ID: 24140755
if Enterprise Admin from the Parent domain wants to logon to the child Domain, does he have to create an account in the child domain.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140803

Not at all. The trust between the domains would allow the Enterprise Admin to access the child domain. He can either use tools from his own domain to manage the domain, or if he wants to access a PC joined to the child domain, simply change the 'Log On To' on the logon prompt to the NetBIOS name of the child domain.

-Matt
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jskfan
ID: 24140855
I created an account on the parent domain and made it Enterprise Admin.
When I tried to logon to a DC in the child domain with that account it says:
The system couldn't log you on.................
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140934

How are you logging in? Using Terminal Desktop, or at the console?
0
 

Author Comment

by:jskfan
ID: 24140975
using Terminal Desktop
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24141141

Try specifying the user name as Enterprise-Admin-Username@rootdomain.com
0
 
LVL 18

Accepted Solution

by:
Americom earned 250 total points
ID: 24141985
Unless you use UPN logon format(username@domainname) as above, otherwise, I believe you need to select the domain where your account is created to logon to.
0
 

Author Comment

by:jskfan
ID: 24142088
<<Enterprise-Admin-Username@rootdomain.com>>

This worked to logon to a DC in the child domain.
If I use it to unlock a workstation that's joined to the child domain it doesn't work.




0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24142524

Log on is different to unlocking a machine in the child domain. While theoretically an Enterprise Admin should be able to do this with those rights, I'd guess it may be restricted for some reason.

-Matt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142678
The UPN format can logon to the child domain because it can locate the account being used actually exist in the specific domain to logon to, in the end it actually logged on to the parent domain as that's where the account exist.

Also, you cannot unlock the workstation because by default I believe only the child Domain Admins group is a member of the workstation's local Administrators group. Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.
0
 

Author Comment

by:jskfan
ID: 24143402
<<<Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.>>>

a user needs to be a member of local Administrators group in the woorkstation to unlock a workstation that is memeber of the domain. Correct?
0
 
LVL 18

Expert Comment

by:Americom
ID: 24143650
Correct.
0
 

Author Comment

by:jskfan
ID: 24143694
tigermatt  asked me
<<<How are you logging in? Using Terminal Desktop, or at the console?>>>

I wonder if the login was at he console instead of RDP  if another rule will apply.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24149790

A login via Terminal Services should not have an effect on logging in at the console. However, a connection to particular servers using one of the newer RDP clients often asks for credentials prior to connection, and you may need to enter the username in the format ROOTDOMAIN\Enterprise-Admin-User in order for the connection to work correctly.

As a general rule of thumb, use the UPN name (Enterprise-Admin-User@rootdomain.com), as that will work across the Enterprise.

-Matt
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question