Improve company productivity with a Business Account.Sign Up

x
?
Solved

Differences between domain admins and enterprise admins

Posted on 2011-09-17
5
Medium Priority
?
11,301 Views
Last Modified: 2012-06-21
Guys,
Hope you are all well and can assist.
I am yet to find THE definitive list of what rights an enterprise admin has as opposed to what a domain admin can do.

I have looked at pages like
http://technet.microsoft.com/en-us/library/dd728026(WS.10).aspx
But even this does NOT list EVERY right of each.

The reason I need to know the differences in full between an enterprise admin and domain admin is so we can identify which users who are currently members of enterprise admins can be removed from this group.

SO, if someone knows or has the COMPLETE master list of what enterprise admins can do versus what domain admins can do, I would be truly grateful.


0
Comment
Question by:Simon336697
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 800 total points
ID: 36553852
I'm not sure if there is an updated master list if I find one I'll post it.

Akfash has a good guide which he copied from TechNet so the info should be valid  http://akfash.wordpress.com/2008/08/30/domain-admins-vs-enterprise-admins/

This guide for EA rights from VA Tech is something I've referenced for years for EA rights (specifically appendix A)

http://www.w2k.vt.edu/docs/EAScenarios.pdf

Thanks

Mike

0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 400 total points
ID: 36553870
Essentially the Enterprise admin is able to all that domain admins can do - but in all domains in the forest , whereas the domain admin is limited to their own domain.

In addition there are one or two things that an enterprise admin can do that a domain admin can't such as

Authorise a DHCP Server
Create a New Domain in the Forest
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36555283
Hi guys thanks so much.
Things like creating AD sites, which only enterprise admins can do, not domain admins, are the things I'm looking for.
That particular task was not mentioned in the tech net URL I mentioned in this question.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 800 total points
ID: 36555554
Enterprise admin is a group that has admin rights over a forest and all domains in the forest. Since you have one domain/forest, the only real use for this is in AD Sites and Services and AD Domains and Trusts MMCs. Both MMCs would let you make changes that coudl affect multiple domains if you had them.

Domain Admins are admins of a single domain by default and cannot admin other domains unless you allow them that right.
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

Schema Admins is a group used to allow access to the Schema in a Forest. The Schema controls what objects and attributes can be created in AD. You only need to be a member of this if you are making changes to the schema, which does not happen a lot, but would if you where installing something like Exchange.

It is not best practise to assign domain admin/enterprise admin rihts to users in the environment.
The best practice is to find the number of user who requires domain admin rights for certain activity.
why they require and how many times they required in a month and for what activity?
If the activities are realated to desktop you can right away remove the domain admin rights and add the user to their local desktop administrator group as per requirement.Refer www.globalimaginginc.com/resources/docs/AddingLocalAdministrator.doc



0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 36946236
Thanks so much guys sorrry about the delay.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
One thing I've always found frustrating is no matter how many times one asks the end users to not save things on their local machines, they do it anyway.  Forget that we don't back up the desktops - only the servers.  Well, let's sneak their data on…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

602 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question