mts_danielcoca
asked on
Enterprise Administrator has no admin rights on a Child Domain Member Server
I have been restructing my network and I have created a forest root domain using Server 2003 Enterprise - company.local - and several child domains, one such is corp.company.local and it is Server 2008 x64 Standard.
In company.local I have created user accounts that need rights to all subdomains, my self and the other administrators. I added all of us to Enterprise Admins and Domain Admins in the Forest Root. Everything seems okay in the forest root and I can even log into Domain Controllers in child domains but my administrative rights do not transfer to Member servers or computers of the child domains. Everything I have seen states that Enterprise Admins have rights from the top of the tree on down but this only seems partially true. Any Suggestions? Thanks
In company.local I have created user accounts that need rights to all subdomains, my self and the other administrators. I added all of us to Enterprise Admins and Domain Admins in the Forest Root. Everything seems okay in the forest root and I can even log into Domain Controllers in child domains but my administrative rights do not transfer to Member servers or computers of the child domains. Everything I have seen states that Enterprise Admins have rights from the top of the tree on down but this only seems partially true. Any Suggestions? Thanks
Americom
By default your root domian Enterprise Admins group is a member of the domain local administrators group which means you have total control of the child domain AD administration. Unfortunately, the Domain Local Administrators group is not a member of the Domain Admins group and cannot be and therefore it the Enterprise Admins in the root domain does not have access to the member servers in ther other domains.
ASKER
Are there any work arounds that you are aware of, or do I need to break down and create AD users in each child domain?
By default, local admin rights are granted through membership of the Domain Admins group for that domain. As this group is a global group, it cannot contain accounts/groups from other domains, so unfortunately you can't add the Enterprise Admins group into a child domain's Domain Admins group, and therefore not get local admin rights to desktops/members.
The Enterprise Admins group does have rights for AD adminsitration but not local administration of machines.
A workaround would be to have accounts in the child domain which you use to perform admin tasks on servers/workstations.
The Enterprise Admins group does have rights for AD adminsitration but not local administration of machines.
A workaround would be to have accounts in the child domain which you use to perform admin tasks on servers/workstations.
Sorry Americom - must refresh!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We have used this option in other scenarios and it was a possibility I was keeping as a last resort, I was hoping that by utilizing a forest we could avoid this but it seems a failing of Active Directory's design. Thanks for the help :)