Solved

Enterprise admins and access in each domain

Posted on 2011-09-08
10
2,096 Views
Last Modified: 2012-05-12
Hi guys hope you are all well and can help.

Guys we have the following domain setup.

Root domain
|______ subdomainA
|______ subdomainB
|______ subdomainC

In the root domain, we have three users in the Enterprise Admins group.
Bob is a member of this group, and we want Bob to be able to administer EVERY computer in the forest with full domain access.
When Bob tries to log on to a domain controller in subdomainB, he can't, because an error says he needs to have the right to log on to this machine.
He tries another DC in another subdomain....same issue.

My questions are....

A) Why can't he log on to these since he is an enterprise admin?
B) Instead of creating a domain admin account in each domain for Bob and others who are members of the enterprise admin group, how can we give enterprise admins full domain access in each domain?

Any help greatly appreciated.
0
Comment
Question by:Simon336697
  • 5
  • 3
  • 2
10 Comments
 
LVL 4

Expert Comment

by:krf1963
ID: 36502006
By default, the Enterprise Admins group is a member of the Administrators group in each domain.

If somehow the Enterprise Admins group has been removed from these groups, you will have the problem you are experience. Check the Administrators group in each Child domain and ensure that Enterprise Admins is a member of that group.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36502048
Hi krf thanks so much. I will do.

Is the enterprise admins group a universal group?


Also, if the enterprise admins group is a member of the administrators group in each domain, does that mean that members of the enterprise admins group should be able to log on to all DOMAIN CONTROLLERS within all domains in the forest, but NOT member servers in each domain?

For the enterprise admins to log on to EVERY SERVER, regardless of whether it is a DC or member server, would the enterprise admins group have to be added to each domains' domain admins group?

0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 334 total points
ID: 36502889
Yes the enterprise admins is a universal security group

Correct they should be able to log on to the domain controllers

You won't be able to add it to the domain admin group in the other domains  

The domain admin group is a global group and global groups can only contain

Accounts from the same domain as the parent global group
Global groups from the same domain as the parent global group

You could create them a second account or use restricted groups in the domain and add them to the local admin group on the servers.

Thanks

Mike
0
 
LVL 4

Expert Comment

by:krf1963
ID: 36503002
I think if you want your administrators to be able to log on to all Servers in all Domains, you will have to add the Enterprise Admins group to the Domain Admins group in each domain. This probably means there is no need to add it to each domain's Administrators group because Domain Admins is a member of this group by default.

Apologies for the incomplete answer earlier.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 334 total points
ID: 36503025
You won't be able to add it to the domain admin group in the other domains.

Thanks


Mike
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:Simon336697
ID: 36506631
Hi guys thanks so much.
Mike, what if you had a requirement for the enterprise admins to be able to log on to any server in the entire forest? In addition, you had over 100 domains, making it painful to create a second account for them?

Can you do the following?

In the root domain where the enterprise admins group is, add the enterprise admins group to be a member of each of the other domains domain admins group?
Would this work?
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36507868
Guys what. Did was the following.
I added the enterprise admins group to each domains domain admins group, but I got the error message....you need the log on terminal services right to log on.....so I then added the enterprise admins group to each domains remote desktop users group which worked. I would have thought that the domain admins group would have had this right?
0
 
LVL 4

Assisted Solution

by:krf1963
krf1963 earned 166 total points
ID: 36509151
Domain admins would normally have the right to log on using terminal services access. did you really manage to add the Enterprise Admins group to the Domain Admins group in each subdomain? Looking back I think my earlier comment was wrong and that Mike was right in saying that you would not be able to do this. Domain admins is a Global group and as such can only have as members accounts and groups from the same domain. Remote Desktop Users is a domain local group, which can contain global and universal groups from other domains.

 
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36519757
Hi krf, I could not add enterprise admins to the domain admins group in each subdomain. I could add it to the remote desktop users local group however on the domain controller. The problem is is that this still does not achieve what I want, which is the ability for enterprise admins to use their enterprise admin account and log on to EVERY server in all domains throughout our enterprise. By adding thte enterprise admins group to the remote desktop users group on the domain controller, this just gives access to the domain controller.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36520061
Guys just to clarify, is the following correct?

1) The enterprise admins group is a universal group.

2) You can add any account from any domain to the enterprise admins group.

3) You can add any global group to the enterprise admins group.

4) You CANNOT add the enterprise admins group to a domains domain admins group because the domain admins group is a GLOBAL GROUP and can only contain members from it's own domain.

5) The enterprise admins group is added to the administrators group on EVERY domain controller throughout the forest when a server becomes a DC, so a member of the enterprise admins group should be able to log on to every DC in the forest via membership of the DCs administrators local group. This does not mean the enterprise admins group can log on to every SERVER in the forest...only DCs by default.

6) The domain admins can log on to every server, regardless of whether it is a DC or not, because it us automatically a member of the local admins group on every server. Enterprise admins are only a member of the local admins group on DOMAIN CONTROLLERS only, not member servers. Because you cannot add enterprise admins to the domain admins group in each domain (because the Dom admins group is a global group and only accepts objects in it's own domain), another method is required to grant enterprise admins this ability of being able to log on to all servers throughout the forest.

7) Would the best method of granting enterprise admins the ability to log on to very server though out the forest be to:
A) Create a restricted group in each domain. Add the enterprise admin group to the local administrators group on all servers.
Or
B) Create a second account for them?

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now