Solved

Differences between domain admins and enterprise admins

Posted on 2011-09-17
5
6,368 Views
Last Modified: 2012-06-21
Guys,
Hope you are all well and can assist.
I am yet to find THE definitive list of what rights an enterprise admin has as opposed to what a domain admin can do.

I have looked at pages like
http://technet.microsoft.com/en-us/library/dd728026(WS.10).aspx
But even this does NOT list EVERY right of each.

The reason I need to know the differences in full between an enterprise admin and domain admin is so we can identify which users who are currently members of enterprise admins can be removed from this group.

SO, if someone knows or has the COMPLETE master list of what enterprise admins can do versus what domain admins can do, I would be truly grateful.


0
Comment
Question by:Simon336697
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 200 total points
ID: 36553852
I'm not sure if there is an updated master list if I find one I'll post it.

Akfash has a good guide which he copied from TechNet so the info should be valid  http://akfash.wordpress.com/2008/08/30/domain-admins-vs-enterprise-admins/

This guide for EA rights from VA Tech is something I've referenced for years for EA rights (specifically appendix A)

http://www.w2k.vt.edu/docs/EAScenarios.pdf

Thanks

Mike

0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
ID: 36553870
Essentially the Enterprise admin is able to all that domain admins can do - but in all domains in the forest , whereas the domain admin is limited to their own domain.

In addition there are one or two things that an enterprise admin can do that a domain admin can't such as

Authorise a DHCP Server
Create a New Domain in the Forest
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36555283
Hi guys thanks so much.
Things like creating AD sites, which only enterprise admins can do, not domain admins, are the things I'm looking for.
That particular task was not mentioned in the tech net URL I mentioned in this question.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 200 total points
ID: 36555554
Enterprise admin is a group that has admin rights over a forest and all domains in the forest. Since you have one domain/forest, the only real use for this is in AD Sites and Services and AD Domains and Trusts MMCs. Both MMCs would let you make changes that coudl affect multiple domains if you had them.

Domain Admins are admins of a single domain by default and cannot admin other domains unless you allow them that right.
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

Schema Admins is a group used to allow access to the Schema in a Forest. The Schema controls what objects and attributes can be created in AD. You only need to be a member of this if you are making changes to the schema, which does not happen a lot, but would if you where installing something like Exchange.

It is not best practise to assign domain admin/enterprise admin rihts to users in the environment.
The best practice is to find the number of user who requires domain admin rights for certain activity.
why they require and how many times they required in a month and for what activity?
If the activities are realated to desktop you can right away remove the domain admin rights and add the user to their local desktop administrator group as per requirement.Refer www.globalimaginginc.com/resources/docs/AddingLocalAdministrator.doc



0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 36946236
Thanks so much guys sorrry about the delay.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now