• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 50
  • Last Modified:

Forest Permissions

Hello Just trying to get my head around a problem and need some help.  

Building a forest in test we have a test domain at top level - test.int and a child domain uk.test.int. Trusts are transitive we have made no changes.

In the top level Domain the Enterprise Admins reside we created a domain admin in the child domain.

From the child domain uk.test.uk our domain admin for that domain uses ADUC to change domain.  I was expecting this user not to be able to cause too much damage and the following is true:

Domain Admin - Cannot Delete Accounts, Cannot add Accounts in the test.in domain.  HOWEVER the domain administrator from the down level domain CAN delete membership details of the Enterprise Admin - i.e. membership of Schema Admins ... NOT GOOD.

OK - so I went back to the top level domain TEST.INT and from its properties I restrict access to write, create and delete child objects but obviously this still does not restrict the down level admin from causing problems.  

To be honest I was not expecting this - So I am glad I am checking how can I prevent the down level administrator from changing the Enterprise Admins - membership properties?

Byron
0
BYRONJACKSON
Asked:
BYRONJACKSON
  • 4
  • 2
1 Solution
 
SteveCommented:
sounds like the child domain admin is a member of 'enterprise admins'
remove this group and it should stop them making changes (after a logout-login, obviously)
0
 
BYRONJACKSONAuthor Commented:
capture-20150309-164559.jpgYes we thought that but the Domain Admin is not a member.  In essence all this user should have is Domain Admin rights over a down level domain.  As stated  - she has no rights to delete or add users or computers.  

But the user does have full rights to the "Member Of" Tab.
0
 
SteveCommented:
is the screenshot the child domain admin or the forest admin, as enterprise admins is listed there...

Domain admins can see the memberships of the forest root, but cannot amend them. you cannot prevent access to the member of tab.

if the domain admin can make changes, check group nesting to make sure one of the other groups the domain admin is a member of isn't an enterprise admin by mistake.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
BYRONJACKSONAuthor Commented:
Hi the screenshot is from the down level domain - the domain admin there has changed domain to the forest root.  

Unfortunately this domain admin can delete those settings here which is causing me a few issues.  I will check that probably tomorrow and post back
0
 
BYRONJACKSONAuthor Commented:
Turns out that somehow this resolved itself overnight - never really got the bottom of why.
0
 
BYRONJACKSONAuthor Commented:
Faulting install - all seems to work well now
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now