Solved

Differences between domain admins and enterprise admins

Posted on 2011-09-17
5
7,279 Views
Last Modified: 2012-06-21
Guys,
Hope you are all well and can assist.
I am yet to find THE definitive list of what rights an enterprise admin has as opposed to what a domain admin can do.

I have looked at pages like
http://technet.microsoft.com/en-us/library/dd728026(WS.10).aspx
But even this does NOT list EVERY right of each.

The reason I need to know the differences in full between an enterprise admin and domain admin is so we can identify which users who are currently members of enterprise admins can be removed from this group.

SO, if someone knows or has the COMPLETE master list of what enterprise admins can do versus what domain admins can do, I would be truly grateful.


0
Comment
Question by:Simon336697
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 200 total points
ID: 36553852
I'm not sure if there is an updated master list if I find one I'll post it.

Akfash has a good guide which he copied from TechNet so the info should be valid  http://akfash.wordpress.com/2008/08/30/domain-admins-vs-enterprise-admins/

This guide for EA rights from VA Tech is something I've referenced for years for EA rights (specifically appendix A)

http://www.w2k.vt.edu/docs/EAScenarios.pdf

Thanks

Mike

0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
ID: 36553870
Essentially the Enterprise admin is able to all that domain admins can do - but in all domains in the forest , whereas the domain admin is limited to their own domain.

In addition there are one or two things that an enterprise admin can do that a domain admin can't such as

Authorise a DHCP Server
Create a New Domain in the Forest
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36555283
Hi guys thanks so much.
Things like creating AD sites, which only enterprise admins can do, not domain admins, are the things I'm looking for.
That particular task was not mentioned in the tech net URL I mentioned in this question.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 200 total points
ID: 36555554
Enterprise admin is a group that has admin rights over a forest and all domains in the forest. Since you have one domain/forest, the only real use for this is in AD Sites and Services and AD Domains and Trusts MMCs. Both MMCs would let you make changes that coudl affect multiple domains if you had them.

Domain Admins are admins of a single domain by default and cannot admin other domains unless you allow them that right.
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

Schema Admins is a group used to allow access to the Schema in a Forest. The Schema controls what objects and attributes can be created in AD. You only need to be a member of this if you are making changes to the schema, which does not happen a lot, but would if you where installing something like Exchange.

It is not best practise to assign domain admin/enterprise admin rihts to users in the environment.
The best practice is to find the number of user who requires domain admin rights for certain activity.
why they require and how many times they required in a month and for what activity?
If the activities are realated to desktop you can right away remove the domain admin rights and add the user to their local desktop administrator group as per requirement.Refer www.globalimaginginc.com/resources/docs/AddingLocalAdministrator.doc



0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 36946236
Thanks so much guys sorrry about the delay.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question