• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1266
  • Last Modified:

Enterprise admin in Parent / Child domain.

1-I would like to know what an Enterprise Admin in the parent domain is able to do in the child domain, if he doesn't have an account in the child domain. I believe he can create a GPO at the site level that will flow to the child domain, other than that I don't know what he can do for the child domain.


2-Is the Domain Admin for the child domain able to make himself an enterprise admin?

Thanks
0
jskfan
Asked:
jskfan
  • 6
  • 6
  • 3
2 Solutions
 
tigermattCommented:

An Enterprise Admin has permission to do ANYTHING across the ENTERPRISE. An Enterprise Admin is able to access and make any changes they wish across the root domain and all child domains in the forest.

A Domain Admin in the child domain only has permissions over the child domain; they do not have permissions over the root domain, and therefore cannot make changes to groups there or promote themselves as an Enterprise Admin. However, a Domain Admin in the root domain has the ability to promote themselves as an Enterprise Admin; access to the Root Domain should therefore be strictly controlled.

-Matt
0
 
jskfanAuthor Commented:
if Enterprise Admin from the Parent domain wants to logon to the child Domain, does he have to create an account in the child domain.
0
 
tigermattCommented:

Not at all. The trust between the domains would allow the Enterprise Admin to access the child domain. He can either use tools from his own domain to manage the domain, or if he wants to access a PC joined to the child domain, simply change the 'Log On To' on the logon prompt to the NetBIOS name of the child domain.

-Matt
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
jskfanAuthor Commented:
I created an account on the parent domain and made it Enterprise Admin.
When I tried to logon to a DC in the child domain with that account it says:
The system couldn't log you on.................
0
 
tigermattCommented:

How are you logging in? Using Terminal Desktop, or at the console?
0
 
jskfanAuthor Commented:
using Terminal Desktop
0
 
tigermattCommented:

Try specifying the user name as Enterprise-Admin-Username@rootdomain.com
0
 
AmericomCommented:
Unless you use UPN logon format(username@domainname) as above, otherwise, I believe you need to select the domain where your account is created to logon to.
0
 
jskfanAuthor Commented:
<<Enterprise-Admin-Username@rootdomain.com>>

This worked to logon to a DC in the child domain.
If I use it to unlock a workstation that's joined to the child domain it doesn't work.




0
 
tigermattCommented:

Log on is different to unlocking a machine in the child domain. While theoretically an Enterprise Admin should be able to do this with those rights, I'd guess it may be restricted for some reason.

-Matt
0
 
AmericomCommented:
The UPN format can logon to the child domain because it can locate the account being used actually exist in the specific domain to logon to, in the end it actually logged on to the parent domain as that's where the account exist.

Also, you cannot unlock the workstation because by default I believe only the child Domain Admins group is a member of the workstation's local Administrators group. Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.
0
 
jskfanAuthor Commented:
<<<Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.>>>

a user needs to be a member of local Administrators group in the woorkstation to unlock a workstation that is memeber of the domain. Correct?
0
 
AmericomCommented:
Correct.
0
 
jskfanAuthor Commented:
tigermatt  asked me
<<<How are you logging in? Using Terminal Desktop, or at the console?>>>

I wonder if the login was at he console instead of RDP  if another rule will apply.
0
 
tigermattCommented:

A login via Terminal Services should not have an effect on logging in at the console. However, a connection to particular servers using one of the newer RDP clients often asks for credentials prior to connection, and you may need to enter the username in the format ROOTDOMAIN\Enterprise-Admin-User in order for the connection to work correctly.

As a general rule of thumb, use the UPN name (Enterprise-Admin-User@rootdomain.com), as that will work across the Enterprise.

-Matt
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 6
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now