Solved

Enterprise admins and access in each domain

Posted on 2011-09-08
10
2,165 Views
Last Modified: 2012-05-12
Hi guys hope you are all well and can help.

Guys we have the following domain setup.

Root domain
|______ subdomainA
|______ subdomainB
|______ subdomainC

In the root domain, we have three users in the Enterprise Admins group.
Bob is a member of this group, and we want Bob to be able to administer EVERY computer in the forest with full domain access.
When Bob tries to log on to a domain controller in subdomainB, he can't, because an error says he needs to have the right to log on to this machine.
He tries another DC in another subdomain....same issue.

My questions are....

A) Why can't he log on to these since he is an enterprise admin?
B) Instead of creating a domain admin account in each domain for Bob and others who are members of the enterprise admin group, how can we give enterprise admins full domain access in each domain?

Any help greatly appreciated.
0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 4

Expert Comment

by:krf1963
ID: 36502006
By default, the Enterprise Admins group is a member of the Administrators group in each domain.

If somehow the Enterprise Admins group has been removed from these groups, you will have the problem you are experience. Check the Administrators group in each Child domain and ensure that Enterprise Admins is a member of that group.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36502048
Hi krf thanks so much. I will do.

Is the enterprise admins group a universal group?


Also, if the enterprise admins group is a member of the administrators group in each domain, does that mean that members of the enterprise admins group should be able to log on to all DOMAIN CONTROLLERS within all domains in the forest, but NOT member servers in each domain?

For the enterprise admins to log on to EVERY SERVER, regardless of whether it is a DC or member server, would the enterprise admins group have to be added to each domains' domain admins group?

0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 334 total points
ID: 36502889
Yes the enterprise admins is a universal security group

Correct they should be able to log on to the domain controllers

You won't be able to add it to the domain admin group in the other domains  

The domain admin group is a global group and global groups can only contain

Accounts from the same domain as the parent global group
Global groups from the same domain as the parent global group

You could create them a second account or use restricted groups in the domain and add them to the local admin group on the servers.

Thanks

Mike
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 4

Expert Comment

by:krf1963
ID: 36503002
I think if you want your administrators to be able to log on to all Servers in all Domains, you will have to add the Enterprise Admins group to the Domain Admins group in each domain. This probably means there is no need to add it to each domain's Administrators group because Domain Admins is a member of this group by default.

Apologies for the incomplete answer earlier.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 334 total points
ID: 36503025
You won't be able to add it to the domain admin group in the other domains.

Thanks


Mike
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36506631
Hi guys thanks so much.
Mike, what if you had a requirement for the enterprise admins to be able to log on to any server in the entire forest? In addition, you had over 100 domains, making it painful to create a second account for them?

Can you do the following?

In the root domain where the enterprise admins group is, add the enterprise admins group to be a member of each of the other domains domain admins group?
Would this work?
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36507868
Guys what. Did was the following.
I added the enterprise admins group to each domains domain admins group, but I got the error message....you need the log on terminal services right to log on.....so I then added the enterprise admins group to each domains remote desktop users group which worked. I would have thought that the domain admins group would have had this right?
0
 
LVL 4

Assisted Solution

by:krf1963
krf1963 earned 166 total points
ID: 36509151
Domain admins would normally have the right to log on using terminal services access. did you really manage to add the Enterprise Admins group to the Domain Admins group in each subdomain? Looking back I think my earlier comment was wrong and that Mike was right in saying that you would not be able to do this. Domain admins is a Global group and as such can only have as members accounts and groups from the same domain. Remote Desktop Users is a domain local group, which can contain global and universal groups from other domains.

 
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36519757
Hi krf, I could not add enterprise admins to the domain admins group in each subdomain. I could add it to the remote desktop users local group however on the domain controller. The problem is is that this still does not achieve what I want, which is the ability for enterprise admins to use their enterprise admin account and log on to EVERY server in all domains throughout our enterprise. By adding thte enterprise admins group to the remote desktop users group on the domain controller, this just gives access to the domain controller.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36520061
Guys just to clarify, is the following correct?

1) The enterprise admins group is a universal group.

2) You can add any account from any domain to the enterprise admins group.

3) You can add any global group to the enterprise admins group.

4) You CANNOT add the enterprise admins group to a domains domain admins group because the domain admins group is a GLOBAL GROUP and can only contain members from it's own domain.

5) The enterprise admins group is added to the administrators group on EVERY domain controller throughout the forest when a server becomes a DC, so a member of the enterprise admins group should be able to log on to every DC in the forest via membership of the DCs administrators local group. This does not mean the enterprise admins group can log on to every SERVER in the forest...only DCs by default.

6) The domain admins can log on to every server, regardless of whether it is a DC or not, because it us automatically a member of the local admins group on every server. Enterprise admins are only a member of the local admins group on DOMAIN CONTROLLERS only, not member servers. Because you cannot add enterprise admins to the domain admins group in each domain (because the Dom admins group is a global group and only accepts objects in it's own domain), another method is required to grant enterprise admins this ability of being able to log on to all servers throughout the forest.

7) Would the best method of granting enterprise admins the ability to log on to very server though out the forest be to:
A) Create a restricted group in each domain. Add the enterprise admin group to the local administrators group on all servers.
Or
B) Create a second account for them?

0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question