Solved

Differences between domain admins and enterprise admins

Posted on 2011-09-17
5
5,972 Views
Last Modified: 2012-06-21
Guys,
Hope you are all well and can assist.
I am yet to find THE definitive list of what rights an enterprise admin has as opposed to what a domain admin can do.

I have looked at pages like
http://technet.microsoft.com/en-us/library/dd728026(WS.10).aspx
But even this does NOT list EVERY right of each.

The reason I need to know the differences in full between an enterprise admin and domain admin is so we can identify which users who are currently members of enterprise admins can be removed from this group.

SO, if someone knows or has the COMPLETE master list of what enterprise admins can do versus what domain admins can do, I would be truly grateful.


0
Comment
Question by:Simon336697
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 200 total points
ID: 36553852
I'm not sure if there is an updated master list if I find one I'll post it.

Akfash has a good guide which he copied from TechNet so the info should be valid  http://akfash.wordpress.com/2008/08/30/domain-admins-vs-enterprise-admins/

This guide for EA rights from VA Tech is something I've referenced for years for EA rights (specifically appendix A)

http://www.w2k.vt.edu/docs/EAScenarios.pdf

Thanks

Mike

0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
ID: 36553870
Essentially the Enterprise admin is able to all that domain admins can do - but in all domains in the forest , whereas the domain admin is limited to their own domain.

In addition there are one or two things that an enterprise admin can do that a domain admin can't such as

Authorise a DHCP Server
Create a New Domain in the Forest
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36555283
Hi guys thanks so much.
Things like creating AD sites, which only enterprise admins can do, not domain admins, are the things I'm looking for.
That particular task was not mentioned in the tech net URL I mentioned in this question.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 200 total points
ID: 36555554
Enterprise admin is a group that has admin rights over a forest and all domains in the forest. Since you have one domain/forest, the only real use for this is in AD Sites and Services and AD Domains and Trusts MMCs. Both MMCs would let you make changes that coudl affect multiple domains if you had them.

Domain Admins are admins of a single domain by default and cannot admin other domains unless you allow them that right.
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

Schema Admins is a group used to allow access to the Schema in a Forest. The Schema controls what objects and attributes can be created in AD. You only need to be a member of this if you are making changes to the schema, which does not happen a lot, but would if you where installing something like Exchange.

It is not best practise to assign domain admin/enterprise admin rihts to users in the environment.
The best practice is to find the number of user who requires domain admin rights for certain activity.
why they require and how many times they required in a month and for what activity?
If the activities are realated to desktop you can right away remove the domain admin rights and add the user to their local desktop administrator group as per requirement.Refer www.globalimaginginc.com/resources/docs/AddingLocalAdministrator.doc



0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 36946236
Thanks so much guys sorrry about the delay.
0

Join & Write a Comment

This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now