Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Differences between domain admins and enterprise admins

Posted on 2011-09-17
5
Medium Priority
?
9,425 Views
Last Modified: 2012-06-21
Guys,
Hope you are all well and can assist.
I am yet to find THE definitive list of what rights an enterprise admin has as opposed to what a domain admin can do.

I have looked at pages like
http://technet.microsoft.com/en-us/library/dd728026(WS.10).aspx
But even this does NOT list EVERY right of each.

The reason I need to know the differences in full between an enterprise admin and domain admin is so we can identify which users who are currently members of enterprise admins can be removed from this group.

SO, if someone knows or has the COMPLETE master list of what enterprise admins can do versus what domain admins can do, I would be truly grateful.


0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 800 total points
ID: 36553852
I'm not sure if there is an updated master list if I find one I'll post it.

Akfash has a good guide which he copied from TechNet so the info should be valid  http://akfash.wordpress.com/2008/08/30/domain-admins-vs-enterprise-admins/

This guide for EA rights from VA Tech is something I've referenced for years for EA rights (specifically appendix A)

http://www.w2k.vt.edu/docs/EAScenarios.pdf

Thanks

Mike

0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 400 total points
ID: 36553870
Essentially the Enterprise admin is able to all that domain admins can do - but in all domains in the forest , whereas the domain admin is limited to their own domain.

In addition there are one or two things that an enterprise admin can do that a domain admin can't such as

Authorise a DHCP Server
Create a New Domain in the Forest
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36555283
Hi guys thanks so much.
Things like creating AD sites, which only enterprise admins can do, not domain admins, are the things I'm looking for.
That particular task was not mentioned in the tech net URL I mentioned in this question.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 800 total points
ID: 36555554
Enterprise admin is a group that has admin rights over a forest and all domains in the forest. Since you have one domain/forest, the only real use for this is in AD Sites and Services and AD Domains and Trusts MMCs. Both MMCs would let you make changes that coudl affect multiple domains if you had them.

Domain Admins are admins of a single domain by default and cannot admin other domains unless you allow them that right.
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

Schema Admins is a group used to allow access to the Schema in a Forest. The Schema controls what objects and attributes can be created in AD. You only need to be a member of this if you are making changes to the schema, which does not happen a lot, but would if you where installing something like Exchange.

It is not best practise to assign domain admin/enterprise admin rihts to users in the environment.
The best practice is to find the number of user who requires domain admin rights for certain activity.
why they require and how many times they required in a month and for what activity?
If the activities are realated to desktop you can right away remove the domain admin rights and add the user to their local desktop administrator group as per requirement.Refer www.globalimaginginc.com/resources/docs/AddingLocalAdministrator.doc



0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 36946236
Thanks so much guys sorrry about the delay.
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question