Solved

Enterprise admin in Parent / Child domain.

Posted on 2009-04-14
15
1,211 Views
Last Modified: 2012-05-06
1-I would like to know what an Enterprise Admin in the parent domain is able to do in the child domain, if he doesn't have an account in the child domain. I believe he can create a GPO at the site level that will flow to the child domain, other than that I don't know what he can do for the child domain.


2-Is the Domain Admin for the child domain able to make himself an enterprise admin?

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 3
15 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140535

An Enterprise Admin has permission to do ANYTHING across the ENTERPRISE. An Enterprise Admin is able to access and make any changes they wish across the root domain and all child domains in the forest.

A Domain Admin in the child domain only has permissions over the child domain; they do not have permissions over the root domain, and therefore cannot make changes to groups there or promote themselves as an Enterprise Admin. However, a Domain Admin in the root domain has the ability to promote themselves as an Enterprise Admin; access to the Root Domain should therefore be strictly controlled.

-Matt
0
 

Author Comment

by:jskfan
ID: 24140755
if Enterprise Admin from the Parent domain wants to logon to the child Domain, does he have to create an account in the child domain.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140803

Not at all. The trust between the domains would allow the Enterprise Admin to access the child domain. He can either use tools from his own domain to manage the domain, or if he wants to access a PC joined to the child domain, simply change the 'Log On To' on the logon prompt to the NetBIOS name of the child domain.

-Matt
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:jskfan
ID: 24140855
I created an account on the parent domain and made it Enterprise Admin.
When I tried to logon to a DC in the child domain with that account it says:
The system couldn't log you on.................
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140934

How are you logging in? Using Terminal Desktop, or at the console?
0
 

Author Comment

by:jskfan
ID: 24140975
using Terminal Desktop
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24141141

Try specifying the user name as Enterprise-Admin-Username@rootdomain.com
0
 
LVL 18

Accepted Solution

by:
Americom earned 250 total points
ID: 24141985
Unless you use UPN logon format(username@domainname) as above, otherwise, I believe you need to select the domain where your account is created to logon to.
0
 

Author Comment

by:jskfan
ID: 24142088
<<Enterprise-Admin-Username@rootdomain.com>>

This worked to logon to a DC in the child domain.
If I use it to unlock a workstation that's joined to the child domain it doesn't work.




0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24142524

Log on is different to unlocking a machine in the child domain. While theoretically an Enterprise Admin should be able to do this with those rights, I'd guess it may be restricted for some reason.

-Matt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142678
The UPN format can logon to the child domain because it can locate the account being used actually exist in the specific domain to logon to, in the end it actually logged on to the parent domain as that's where the account exist.

Also, you cannot unlock the workstation because by default I believe only the child Domain Admins group is a member of the workstation's local Administrators group. Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.
0
 

Author Comment

by:jskfan
ID: 24143402
<<<Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.>>>

a user needs to be a member of local Administrators group in the woorkstation to unlock a workstation that is memeber of the domain. Correct?
0
 
LVL 18

Expert Comment

by:Americom
ID: 24143650
Correct.
0
 

Author Comment

by:jskfan
ID: 24143694
tigermatt  asked me
<<<How are you logging in? Using Terminal Desktop, or at the console?>>>

I wonder if the login was at he console instead of RDP  if another rule will apply.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24149790

A login via Terminal Services should not have an effect on logging in at the console. However, a connection to particular servers using one of the newer RDP clients often asks for credentials prior to connection, and you may need to enter the username in the format ROOTDOMAIN\Enterprise-Admin-User in order for the connection to work correctly.

As a general rule of thumb, use the UPN name (Enterprise-Admin-User@rootdomain.com), as that will work across the Enterprise.

-Matt
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question