We help IT Professionals succeed at work.

Forest Permissions

Hello Just trying to get my head around a problem and need some help.  

Building a forest in test we have a test domain at top level - test.int and a child domain uk.test.int. Trusts are transitive we have made no changes.

In the top level Domain the Enterprise Admins reside we created a domain admin in the child domain.

From the child domain uk.test.uk our domain admin for that domain uses ADUC to change domain.  I was expecting this user not to be able to cause too much damage and the following is true:

Domain Admin - Cannot Delete Accounts, Cannot add Accounts in the test.in domain.  HOWEVER the domain administrator from the down level domain CAN delete membership details of the Enterprise Admin - i.e. membership of Schema Admins ... NOT GOOD.

OK - so I went back to the top level domain TEST.INT and from its properties I restrict access to write, create and delete child objects but obviously this still does not restrict the down level admin from causing problems.  

To be honest I was not expecting this - So I am glad I am checking how can I prevent the down level administrator from changing the Enterprise Admins - membership properties?

Byron
Comment
Watch Question

SteveArchitect/Designer

Commented:
sounds like the child domain admin is a member of 'enterprise admins'
remove this group and it should stop them making changes (after a logout-login, obviously)

Author

Commented:
capture-20150309-164559.jpgYes we thought that but the Domain Admin is not a member.  In essence all this user should have is Domain Admin rights over a down level domain.  As stated  - she has no rights to delete or add users or computers.  

But the user does have full rights to the "Member Of" Tab.
SteveArchitect/Designer

Commented:
is the screenshot the child domain admin or the forest admin, as enterprise admins is listed there...

Domain admins can see the memberships of the forest root, but cannot amend them. you cannot prevent access to the member of tab.

if the domain admin can make changes, check group nesting to make sure one of the other groups the domain admin is a member of isn't an enterprise admin by mistake.

Author

Commented:
Hi the screenshot is from the down level domain - the domain admin there has changed domain to the forest root.  

Unfortunately this domain admin can delete those settings here which is causing me a few issues.  I will check that probably tomorrow and post back
Turns out that somehow this resolved itself overnight - never really got the bottom of why.

Author

Commented:
Faulting install - all seems to work well now