Hiding Parent Domain from Child Domain in ADUC

In some environments they use parent domain just for security purposes. If I am not wrong, if they do not want domain Admins to be Enterprise Admins the creation of parent domain will do the job, it may also apply when they do not want Domain Admins to be Schema Admins....

Well, the point is how to make ADUC show just the Child Domain , not the parent Domain ?

Thanks
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
In some environments they use parent domain just for security purposes.
This is recommended practice for security purposes and reducing your attack surface particularly from internal threats.

What you're asking to do is "security through obscurity". It's a bad practice because it leads to a false sense of security. I don't believe is possible to do, at least not effectively without breaking something else. Group Policy Management Console for example loads in the root domain and you must navigate down the tree to the child domain. You could also accidentally block domain controllers from being able to see resources in other domains. You will always be able to side step hiding it in ADUC as well via some other method.

My advice would be to secure your root domain tightly and your child domains even tighter :) Impliment real-time monitoring (SCOM, Splunk, etc) as well as historic long term log storage (Splunk, etc). Delegate everything, I can really not see any reason to make anyone other than those very few who need to be domain administrators, domain admins. AD has a very granular delegation system in place.
0
jskfanAuthor Commented:
How do you hide the parent domain in ADUC...  I worked in environment like that....when I open ADUC there is no sense that there 's a parent domain.
0
LearnctxEngineerCommented:
I've never heard of anyone being able to do this with Active Directory Users and Computers. By default the root of ADUC is the FQDN of the domain and I do not believe it is possible to alter it. Maybe you are thinking about Active Directory Administrative Center which is a more helpdesk orientated tool but I am sure even that has the ability to view the parent node.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ben HartCommented:
Yeah I don't think there's any options for this.  Best you could do is use Delegation to restrict them from doing anything in the parent domain level.
0
jskfanAuthor Commented:
OK Thank you Guys!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.