Re: enterprise admins in single domain question

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Mon, 22 Aug 2005 17:49:20 -0400

Any admin on any domain if they know what they are doing can add themselves to Enterprise Admins for the forest. The people who are domain admins should also be the enterprise admins because they can effectively gain that access any time they want.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

barabba72@xxxxxxxxxxx wrote:

Thank you Andrey for your answer.
I feel my question is still unanswered though. Is it normal that in a
single domain, domain admins can add themselves to the enterprise
admins group ?

Regards

Follow-Ups:
- Re: enterprise admins in single domain question
  - From: barabba72

References:
- enterprise admins in single domain question
  - From: barabba72
- Re: enterprise admins in single domain question
  - From: Andrei Ungureanu
- Re: enterprise admins in single domain question
  - From: barabba72

Prev by Date: Re: create computer object
Next by Date: Re: Listing sAMAccountName when listing Group Membership
Previous by thread: Re: enterprise admins in single domain question
Next by thread: Re: enterprise admins in single domain question
Index(es):
- Date
- Thread

Relevant Pages

Re: Accessing c$ share in child domain
... We are currently running in mixed mode, am I correct in thinking that ... Enterprise Admins were automatically domain admins within all child ... >Check the membership in the local administrators group on the ...
(microsoft.public.win2000.security)
Re: Enterprise CA options greyed out.
... Not undocumented - http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbd_ads_xsfl.mspx, for instance, lists that the domain admins of the forest root domain are able to make accounts members of the Enterprise Admins and Schema Admins groups. ... This is a natural consequence of having a forest root domain, whether it was documented or not, so should come as no surprise - but it is documented. ... > account i created and placed only in the Domain Users and Domain Admins ...
(microsoft.public.security)
Re: Domain Admin cant log into child domains
... Domain Admins can only log into their own domain in the ... Enterprise Admins are granted wide-spread rights ... Administrators in the child domain can log onto any ... physically sitting at the console) using their parent domain credentials ...
(microsoft.public.security)
Re: Domain security
... you can not kick out the domain admins or enterprise admins. ... certificates which I disagree with since they will have access to our ... changed and to look at random system log files from various systems ...
(microsoft.public.windows.server.active_directory)
Re: AD and DHCP
... I am not sure that I would have added the Domain Admins security group to be ... The Enterprise Admins group is all powerful throughout ... You only want very knowledgeable people to be a member of the ... I might have added individual user account objects to that security group. ...
(microsoft.public.win2000.active_directory)