Forest Permissions

Hello Just trying to get my head around a problem and need some help.  

Building a forest in test we have a test domain at top level - and a child domain Trusts are transitive we have made no changes.

In the top level Domain the Enterprise Admins reside we created a domain admin in the child domain.

From the child domain our domain admin for that domain uses ADUC to change domain.  I was expecting this user not to be able to cause too much damage and the following is true:

Domain Admin - Cannot Delete Accounts, Cannot add Accounts in the domain.  HOWEVER the domain administrator from the down level domain CAN delete membership details of the Enterprise Admin - i.e. membership of Schema Admins ... NOT GOOD.

OK - so I went back to the top level domain TEST.INT and from its properties I restrict access to write, create and delete child objects but obviously this still does not restrict the down level admin from causing problems.  

To be honest I was not expecting this - So I am glad I am checking how can I prevent the down level administrator from changing the Enterprise Admins - membership properties?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sounds like the child domain admin is a member of 'enterprise admins'
remove this group and it should stop them making changes (after a logout-login, obviously)
BYRONJACKSONAuthor Commented:
capture-20150309-164559.jpgYes we thought that but the Domain Admin is not a member.  In essence all this user should have is Domain Admin rights over a down level domain.  As stated  - she has no rights to delete or add users or computers.  

But the user does have full rights to the "Member Of" Tab.
is the screenshot the child domain admin or the forest admin, as enterprise admins is listed there...

Domain admins can see the memberships of the forest root, but cannot amend them. you cannot prevent access to the member of tab.

if the domain admin can make changes, check group nesting to make sure one of the other groups the domain admin is a member of isn't an enterprise admin by mistake.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

BYRONJACKSONAuthor Commented:
Hi the screenshot is from the down level domain - the domain admin there has changed domain to the forest root.  

Unfortunately this domain admin can delete those settings here which is causing me a few issues.  I will check that probably tomorrow and post back
BYRONJACKSONAuthor Commented:
Turns out that somehow this resolved itself overnight - never really got the bottom of why.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BYRONJACKSONAuthor Commented:
Faulting install - all seems to work well now
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.