[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Enterprise admin in Parent / Child domain.

Posted on 2009-04-14
15
Medium Priority
?
1,230 Views
Last Modified: 2012-05-06
1-I would like to know what an Enterprise Admin in the parent domain is able to do in the child domain, if he doesn't have an account in the child domain. I believe he can create a GPO at the site level that will flow to the child domain, other than that I don't know what he can do for the child domain.


2-Is the Domain Admin for the child domain able to make himself an enterprise admin?

Thanks
0
Comment
Question by:jskfan
  • 6
  • 6
  • 3
15 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140535

An Enterprise Admin has permission to do ANYTHING across the ENTERPRISE. An Enterprise Admin is able to access and make any changes they wish across the root domain and all child domains in the forest.

A Domain Admin in the child domain only has permissions over the child domain; they do not have permissions over the root domain, and therefore cannot make changes to groups there or promote themselves as an Enterprise Admin. However, a Domain Admin in the root domain has the ability to promote themselves as an Enterprise Admin; access to the Root Domain should therefore be strictly controlled.

-Matt
0
 

Author Comment

by:jskfan
ID: 24140755
if Enterprise Admin from the Parent domain wants to logon to the child Domain, does he have to create an account in the child domain.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140803

Not at all. The trust between the domains would allow the Enterprise Admin to access the child domain. He can either use tools from his own domain to manage the domain, or if he wants to access a PC joined to the child domain, simply change the 'Log On To' on the logon prompt to the NetBIOS name of the child domain.

-Matt
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jskfan
ID: 24140855
I created an account on the parent domain and made it Enterprise Admin.
When I tried to logon to a DC in the child domain with that account it says:
The system couldn't log you on.................
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24140934

How are you logging in? Using Terminal Desktop, or at the console?
0
 

Author Comment

by:jskfan
ID: 24140975
using Terminal Desktop
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24141141

Try specifying the user name as Enterprise-Admin-Username@rootdomain.com
0
 
LVL 18

Accepted Solution

by:
Americom earned 1000 total points
ID: 24141985
Unless you use UPN logon format(username@domainname) as above, otherwise, I believe you need to select the domain where your account is created to logon to.
0
 

Author Comment

by:jskfan
ID: 24142088
<<Enterprise-Admin-Username@rootdomain.com>>

This worked to logon to a DC in the child domain.
If I use it to unlock a workstation that's joined to the child domain it doesn't work.




0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24142524

Log on is different to unlocking a machine in the child domain. While theoretically an Enterprise Admin should be able to do this with those rights, I'd guess it may be restricted for some reason.

-Matt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142678
The UPN format can logon to the child domain because it can locate the account being used actually exist in the specific domain to logon to, in the end it actually logged on to the parent domain as that's where the account exist.

Also, you cannot unlock the workstation because by default I believe only the child Domain Admins group is a member of the workstation's local Administrators group. Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.
0
 

Author Comment

by:jskfan
ID: 24143402
<<<Unless you make the Enterprise Admins a member of the workstation's local Administrators group then you would be able to unlock the machine.>>>

a user needs to be a member of local Administrators group in the woorkstation to unlock a workstation that is memeber of the domain. Correct?
0
 
LVL 18

Expert Comment

by:Americom
ID: 24143650
Correct.
0
 

Author Comment

by:jskfan
ID: 24143694
tigermatt  asked me
<<<How are you logging in? Using Terminal Desktop, or at the console?>>>

I wonder if the login was at he console instead of RDP  if another rule will apply.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 1000 total points
ID: 24149790

A login via Terminal Services should not have an effect on logging in at the console. However, a connection to particular servers using one of the newer RDP clients often asks for credentials prior to connection, and you may need to enter the username in the format ROOTDOMAIN\Enterprise-Admin-User in order for the connection to work correctly.

As a general rule of thumb, use the UPN name (Enterprise-Admin-User@rootdomain.com), as that will work across the Enterprise.

-Matt
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question