Enterprise admins and access in each domain
Hi guys hope you are all well and can help.
Guys we have the following domain setup.
Root domain
|______ subdomainA
|______ subdomainB
|______ subdomainC
In the root domain, we have three users in the Enterprise Admins group.
Bob is a member of this group, and we want Bob to be able to administer EVERY computer in the forest with full domain access.
When Bob tries to log on to a domain controller in subdomainB, he can't, because an error says he needs to have the right to log on to this machine.
He tries another DC in another subdomain....same issue.
My questions are....
A) Why can't he log on to these since he is an enterprise admin?
B) Instead of creating a domain admin account in each domain for Bob and others who are members of the enterprise admin group, how can we give enterprise admins full domain access in each domain?
Any help greatly appreciated.
Guys we have the following domain setup.
Root domain
|______ subdomainA
|______ subdomainB
|______ subdomainC
In the root domain, we have three users in the Enterprise Admins group.
Bob is a member of this group, and we want Bob to be able to administer EVERY computer in the forest with full domain access.
When Bob tries to log on to a domain controller in subdomainB, he can't, because an error says he needs to have the right to log on to this machine.
He tries another DC in another subdomain....same issue.
My questions are....
A) Why can't he log on to these since he is an enterprise admin?
B) Instead of creating a domain admin account in each domain for Bob and others who are members of the enterprise admin group, how can we give enterprise admins full domain access in each domain?
Any help greatly appreciated.
ASKER
Hi krf thanks so much. I will do.
Is the enterprise admins group a universal group?
Also, if the enterprise admins group is a member of the administrators group in each domain, does that mean that members of the enterprise admins group should be able to log on to all DOMAIN CONTROLLERS within all domains in the forest, but NOT member servers in each domain?
For the enterprise admins to log on to EVERY SERVER, regardless of whether it is a DC or member server, would the enterprise admins group have to be added to each domains' domain admins group?
Is the enterprise admins group a universal group?
Also, if the enterprise admins group is a member of the administrators group in each domain, does that mean that members of the enterprise admins group should be able to log on to all DOMAIN CONTROLLERS within all domains in the forest, but NOT member servers in each domain?
For the enterprise admins to log on to EVERY SERVER, regardless of whether it is a DC or member server, would the enterprise admins group have to be added to each domains' domain admins group?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think if you want your administrators to be able to log on to all Servers in all Domains, you will have to add the Enterprise Admins group to the Domain Admins group in each domain. This probably means there is no need to add it to each domain's Administrators group because Domain Admins is a member of this group by default.
Apologies for the incomplete answer earlier.
Apologies for the incomplete answer earlier.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi guys thanks so much.
Mike, what if you had a requirement for the enterprise admins to be able to log on to any server in the entire forest? In addition, you had over 100 domains, making it painful to create a second account for them?
Can you do the following?
In the root domain where the enterprise admins group is, add the enterprise admins group to be a member of each of the other domains domain admins group?
Would this work?
Mike, what if you had a requirement for the enterprise admins to be able to log on to any server in the entire forest? In addition, you had over 100 domains, making it painful to create a second account for them?
Can you do the following?
In the root domain where the enterprise admins group is, add the enterprise admins group to be a member of each of the other domains domain admins group?
Would this work?
ASKER
Guys what. Did was the following.
I added the enterprise admins group to each domains domain admins group, but I got the error message....you need the log on terminal services right to log on.....so I then added the enterprise admins group to each domains remote desktop users group which worked. I would have thought that the domain admins group would have had this right?
I added the enterprise admins group to each domains domain admins group, but I got the error message....you need the log on terminal services right to log on.....so I then added the enterprise admins group to each domains remote desktop users group which worked. I would have thought that the domain admins group would have had this right?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi krf, I could not add enterprise admins to the domain admins group in each subdomain. I could add it to the remote desktop users local group however on the domain controller. The problem is is that this still does not achieve what I want, which is the ability for enterprise admins to use their enterprise admin account and log on to EVERY server in all domains throughout our enterprise. By adding thte enterprise admins group to the remote desktop users group on the domain controller, this just gives access to the domain controller.
ASKER
Guys just to clarify, is the following correct?
1) The enterprise admins group is a universal group.
2) You can add any account from any domain to the enterprise admins group.
3) You can add any global group to the enterprise admins group.
4) You CANNOT add the enterprise admins group to a domains domain admins group because the domain admins group is a GLOBAL GROUP and can only contain members from it's own domain.
5) The enterprise admins group is added to the administrators group on EVERY domain controller throughout the forest when a server becomes a DC, so a member of the enterprise admins group should be able to log on to every DC in the forest via membership of the DCs administrators local group. This does not mean the enterprise admins group can log on to every SERVER in the forest...only DCs by default.
6) The domain admins can log on to every server, regardless of whether it is a DC or not, because it us automatically a member of the local admins group on every server. Enterprise admins are only a member of the local admins group on DOMAIN CONTROLLERS only, not member servers. Because you cannot add enterprise admins to the domain admins group in each domain (because the Dom admins group is a global group and only accepts objects in it's own domain), another method is required to grant enterprise admins this ability of being able to log on to all servers throughout the forest.
7) Would the best method of granting enterprise admins the ability to log on to very server though out the forest be to:
A) Create a restricted group in each domain. Add the enterprise admin group to the local administrators group on all servers.
Or
B) Create a second account for them?
1) The enterprise admins group is a universal group.
2) You can add any account from any domain to the enterprise admins group.
3) You can add any global group to the enterprise admins group.
4) You CANNOT add the enterprise admins group to a domains domain admins group because the domain admins group is a GLOBAL GROUP and can only contain members from it's own domain.
5) The enterprise admins group is added to the administrators group on EVERY domain controller throughout the forest when a server becomes a DC, so a member of the enterprise admins group should be able to log on to every DC in the forest via membership of the DCs administrators local group. This does not mean the enterprise admins group can log on to every SERVER in the forest...only DCs by default.
6) The domain admins can log on to every server, regardless of whether it is a DC or not, because it us automatically a member of the local admins group on every server. Enterprise admins are only a member of the local admins group on DOMAIN CONTROLLERS only, not member servers. Because you cannot add enterprise admins to the domain admins group in each domain (because the Dom admins group is a global group and only accepts objects in it's own domain), another method is required to grant enterprise admins this ability of being able to log on to all servers throughout the forest.
7) Would the best method of granting enterprise admins the ability to log on to very server though out the forest be to:
A) Create a restricted group in each domain. Add the enterprise admin group to the local administrators group on all servers.
Or
B) Create a second account for them?
If somehow the Enterprise Admins group has been removed from these groups, you will have the problem you are experience. Check the Administrators group in each Child domain and ensure that Enterprise Admins is a member of that group.