Hello Just trying to get my head around a problem and need some help.
Building a forest in test we have a test domain at top level - test.int and a child domain uk.test.int. Trusts are transitive we have made no changes.
In the top level Domain the Enterprise Admins reside we created a domain admin in the child domain.
From the child domain uk.test.uk our domain admin for that domain uses ADUC to change domain. I was expecting this user not to be able to cause too much damage and the following is true:
Domain Admin - Cannot Delete Accounts, Cannot add Accounts in the test.in domain. HOWEVER the domain administrator from the down level domain CAN delete membership details of the Enterprise Admin - i.e. membership of Schema Admins ... NOT GOOD.
OK - so I went back to the top level domain TEST.INT and from its properties I restrict access to write, create and delete child objects but obviously this still does not restrict the down level admin from causing problems.
To be honest I was not expecting this - So I am glad I am checking how can I prevent the down level administrator from changing the Enterprise Admins - membership properties?