• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3624
  • Last Modified:

Enterprise Administrator has no admin rights on a Child Domain Member Server

I have been restructing my network and I have created a forest root domain using Server 2003 Enterprise - company.local - and several child domains, one such is corp.company.local and it is Server 2008 x64 Standard.

In company.local I have created user accounts that need rights to all subdomains, my self and the other administrators.  I added all of us to Enterprise Admins and Domain Admins in the Forest Root.  Everything seems okay in the forest root and I can even log into Domain Controllers in child domains but my administrative rights do not transfer to Member servers or computers of the child domains.  Everything I have seen states that Enterprise Admins have rights from the top of the tree on down but this only seems partially true.  Any Suggestions?  Thanks
0
mts_danielcoca
Asked:
mts_danielcoca
  • 2
  • 2
  • 2
1 Solution
 
AmericomCommented:
By default your root domian Enterprise Admins group is a member of the domain local administrators group which means you have total control of the child domain AD administration. Unfortunately, the Domain Local Administrators group is not a member of the Domain Admins group and cannot be and therefore it the Enterprise Admins in the root domain does not have access to the member servers in ther other domains.
0
 
mts_danielcocaAuthor Commented:
Are there any work arounds that you are aware of, or do I need to break down and create AD users in each child domain?
0
 
bluntTonyCommented:
By default, local admin rights are granted through membership of the Domain Admins group for that domain. As this group is a global group, it cannot contain accounts/groups from other domains, so unfortunately you can't add the Enterprise Admins group into a child domain's Domain Admins group, and therefore not get local admin rights to desktops/members.
The Enterprise Admins group does have rights for AD adminsitration but not local administration of machines.
A workaround would be to have accounts in the child domain which you use to perform admin tasks on servers/workstations.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
bluntTonyCommented:
Sorry Americom - must refresh!!!
0
 
AmericomCommented:
You can add the domain admin account or group of the Root domain to the member servers/workstations of the child domain. If you want to add to all memeber machines of the child domain, you can try use Restricted Group GPO:
Here's a good how to and discussion on Restricted Group Policy:
http://www.frickelsoft.net/blog/?p=13
0
 
mts_danielcocaAuthor Commented:
We have used this option in other scenarios and it was a possibility I was keeping as a last resort, I was hoping that by utilizing a forest we could avoid this but it seems a failing of Active Directory's design.  Thanks for the help :)
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now