Solved

Enterprise admin in Parent / Child domain.

Posted on 2009-04-14
15
1,204 Views
Last Modified: 2012-05-06
1-I would like to know what an Enterprise Admin in the parent domain is able to do in the child domain, if he doesn't have an account in the child domain. I believe he can create a GPO at the site level that will flow to the child domain, other than that I don't know what he can do for the child domain.


2-Is the Domain Admin for the child domain able to make himself an enterprise admin?

Thanks
0
Comment
Question by:jskfan
  • 6
  • 6
  • 3
15 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140535

An Enterprise Admin has permission to do ANYTHING across the ENTERPRISE. An Enterprise Admin is able to access and make any changes they wish across the root domain and all child domains in the forest.

A Domain Admin in the child domain only has permissions over the child domain; they do not have permissions over the root domain, and therefore cannot make changes to groups there or promote themselves as an Enterprise Admin. However, a Domain Admin in the root domain has the ability to promote themselves as an Enterprise Admin; access to the Root Domain should therefore be strictly controlled.

-Matt
0
 

Author Comment

by:jskfan
ID: 24140755
if Enterprise Admin from the Parent domain wants to logon to the child Domain, does he have to create an account in the child domain.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140803

Not at all. The trust between the domains would allow the Enterprise Admin to access the child domain. He can either use tools from his own domain to manage the domain, or if he wants to access a PC joined to the child domain, simply change the 'Log On To' on the logon prompt to the NetBIOS name of the child domain.

-Matt
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jskfan
ID: 24140855
I created an account on the parent domain and made it Enterprise Admin.
When I tried to logon to a DC in the child domain with that account it says:
The system couldn't log you on.................
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140934

How are you logging in? Using Terminal Desktop, or at the console?
0
 

Author Comment

by:jskfan
ID: 24140975
using Terminal Desktop
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24141141

Try specifying the user name as Enterprise-Admin-Username@rootdomain.com
0
 
LVL 18

Accepted Solution

by:
Americom earned 250 total points
ID: 24141985
Unless you use UPN logon format(username@domainname) as above, otherwise, I believe you need to select the domain where your account is created to logon to.
0
 

Author Comment

by:jskfan
ID: 24142088
<<Enterprise-Admin-Username@rootdomain.com>>

This worked to logon to a DC in the child domain.
If I use it to unlock a workstation that's joined to the child domain it doesn't work.




0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24142524

Log on is different to unlocking a machine in the child domain. While theoretically an Enterprise Admin should be able to do this with those rights, I'd guess it may be restricted for some reason.

-Matt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142678
The UPN format can logon to the child domain because it can locate the account being used actually exist in the specific domain to logon to, in the end it actually logged on to the parent domain as that's where the account exist.

Also, you cannot unlock the workstation because by default I believe only the child Domain Admins group is a member of the workstation's local Administrators group. Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.
0
 

Author Comment

by:jskfan
ID: 24143402
<<<Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.>>>

a user needs to be a member of local Administrators group in the woorkstation to unlock a workstation that is memeber of the domain. Correct?
0
 
LVL 18

Expert Comment

by:Americom
ID: 24143650
Correct.
0
 

Author Comment

by:jskfan
ID: 24143694
tigermatt  asked me
<<<How are you logging in? Using Terminal Desktop, or at the console?>>>

I wonder if the login was at he console instead of RDP  if another rule will apply.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24149790

A login via Terminal Services should not have an effect on logging in at the console. However, a connection to particular servers using one of the newer RDP clients often asks for credentials prior to connection, and you may need to enter the username in the format ROOTDOMAIN\Enterprise-Admin-User in order for the connection to work correctly.

As a general rule of thumb, use the UPN name (Enterprise-Admin-User@rootdomain.com), as that will work across the Enterprise.

-Matt
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question