Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2286
  • Last Modified:

Enterprise admins and access in each domain

Hi guys hope you are all well and can help.

Guys we have the following domain setup.

Root domain
|______ subdomainA
|______ subdomainB
|______ subdomainC

In the root domain, we have three users in the Enterprise Admins group.
Bob is a member of this group, and we want Bob to be able to administer EVERY computer in the forest with full domain access.
When Bob tries to log on to a domain controller in subdomainB, he can't, because an error says he needs to have the right to log on to this machine.
He tries another DC in another subdomain....same issue.

My questions are....

A) Why can't he log on to these since he is an enterprise admin?
B) Instead of creating a domain admin account in each domain for Bob and others who are members of the enterprise admin group, how can we give enterprise admins full domain access in each domain?

Any help greatly appreciated.
0
Simon336697
Asked:
Simon336697
  • 5
  • 3
  • 2
3 Solutions
 
krf1963Commented:
By default, the Enterprise Admins group is a member of the Administrators group in each domain.

If somehow the Enterprise Admins group has been removed from these groups, you will have the problem you are experience. Check the Administrators group in each Child domain and ensure that Enterprise Admins is a member of that group.
0
 
Simon336697Author Commented:
Hi krf thanks so much. I will do.

Is the enterprise admins group a universal group?


Also, if the enterprise admins group is a member of the administrators group in each domain, does that mean that members of the enterprise admins group should be able to log on to all DOMAIN CONTROLLERS within all domains in the forest, but NOT member servers in each domain?

For the enterprise admins to log on to EVERY SERVER, regardless of whether it is a DC or member server, would the enterprise admins group have to be added to each domains' domain admins group?

0
 
Mike KlineCommented:
Yes the enterprise admins is a universal security group

Correct they should be able to log on to the domain controllers

You won't be able to add it to the domain admin group in the other domains  

The domain admin group is a global group and global groups can only contain

Accounts from the same domain as the parent global group
Global groups from the same domain as the parent global group

You could create them a second account or use restricted groups in the domain and add them to the local admin group on the servers.

Thanks

Mike
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
krf1963Commented:
I think if you want your administrators to be able to log on to all Servers in all Domains, you will have to add the Enterprise Admins group to the Domain Admins group in each domain. This probably means there is no need to add it to each domain's Administrators group because Domain Admins is a member of this group by default.

Apologies for the incomplete answer earlier.
0
 
Mike KlineCommented:
You won't be able to add it to the domain admin group in the other domains.

Thanks


Mike
0
 
Simon336697Author Commented:
Hi guys thanks so much.
Mike, what if you had a requirement for the enterprise admins to be able to log on to any server in the entire forest? In addition, you had over 100 domains, making it painful to create a second account for them?

Can you do the following?

In the root domain where the enterprise admins group is, add the enterprise admins group to be a member of each of the other domains domain admins group?
Would this work?
0
 
Simon336697Author Commented:
Guys what. Did was the following.
I added the enterprise admins group to each domains domain admins group, but I got the error message....you need the log on terminal services right to log on.....so I then added the enterprise admins group to each domains remote desktop users group which worked. I would have thought that the domain admins group would have had this right?
0
 
krf1963Commented:
Domain admins would normally have the right to log on using terminal services access. did you really manage to add the Enterprise Admins group to the Domain Admins group in each subdomain? Looking back I think my earlier comment was wrong and that Mike was right in saying that you would not be able to do this. Domain admins is a Global group and as such can only have as members accounts and groups from the same domain. Remote Desktop Users is a domain local group, which can contain global and universal groups from other domains.

 
0
 
Simon336697Author Commented:
Hi krf, I could not add enterprise admins to the domain admins group in each subdomain. I could add it to the remote desktop users local group however on the domain controller. The problem is is that this still does not achieve what I want, which is the ability for enterprise admins to use their enterprise admin account and log on to EVERY server in all domains throughout our enterprise. By adding thte enterprise admins group to the remote desktop users group on the domain controller, this just gives access to the domain controller.
0
 
Simon336697Author Commented:
Guys just to clarify, is the following correct?

1) The enterprise admins group is a universal group.

2) You can add any account from any domain to the enterprise admins group.

3) You can add any global group to the enterprise admins group.

4) You CANNOT add the enterprise admins group to a domains domain admins group because the domain admins group is a GLOBAL GROUP and can only contain members from it's own domain.

5) The enterprise admins group is added to the administrators group on EVERY domain controller throughout the forest when a server becomes a DC, so a member of the enterprise admins group should be able to log on to every DC in the forest via membership of the DCs administrators local group. This does not mean the enterprise admins group can log on to every SERVER in the forest...only DCs by default.

6) The domain admins can log on to every server, regardless of whether it is a DC or not, because it us automatically a member of the local admins group on every server. Enterprise admins are only a member of the local admins group on DOMAIN CONTROLLERS only, not member servers. Because you cannot add enterprise admins to the domain admins group in each domain (because the Dom admins group is a global group and only accepts objects in it's own domain), another method is required to grant enterprise admins this ability of being able to log on to all servers throughout the forest.

7) Would the best method of granting enterprise admins the ability to log on to very server though out the forest be to:
A) Create a restricted group in each domain. Add the enterprise admin group to the local administrators group on all servers.
Or
B) Create a second account for them?

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now