Re: Built in Groups Administrators issue in new raised functional

No restricted groups.

Root: xyz.org

Child1: c1.xyz.org
Child2: c2.xyz.org

After the upgrade:

CHILD domain admins are not longer member of the built-in ADMINISTRATORS

For Example:
When you check the Administrators group of c1.xyz.org it only has the :
ff:

Domain Admins\xyz.org
Enterprise Admins\xyz.org

Domain Admins of c1.xyz.org is missing??














"Jorge de Almeida Pinto [MVP - DS]" wrote:

CHILD domain admins are not longer member of the built-in ADMINISTRATORS
group... in which AD domain?

group members are not just removed like.... are you using restricted groups
to manage the membership of that group?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"ADSadmins" <ADSadmins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A3418F00-F693-4EBE-855E-8C875515CFC2@xxxxxxxxxxxxxxxx
Environment
4 child domains
1 forest root ( windows 2003 functional level) { Raised recently}

We found out that Child domain admins were no longer in the Built-In
Administrators group (ADS Users & Computers) this is after an upgrade was
performed Win2003 Functtional level.

Yesterday we manually restored the former settings. However, these
settings
were again removed overnight.

If these changes are by design ? If yes, then we want to put it back,
question is how do we enforce?

thanks


.

Relevant Pages

  • Re: Sub Domain Admin Accounts
    ... because it is a member of the Enterprise administrators universal group. ... Other members of the child domain admins group would not have this ability ... >> no technical reason why an admin accounts in one domain need to access ...
    (microsoft.public.windows.server.general)
  • Re: Share access problem 2003 member server
    ... but they do not have rights or permissions unless ... can't even view the share on this server. ... Account John is a member of child domain called West.newtrader.co.uk ...
    (microsoft.public.windows.server.general)
  • Re: Confused
    ... >By default the Enterprise Admins are member of any Child ... >Administrators group so they are administrators of the ... >required groups so it can administer the Child Domain ...
    (microsoft.public.win2000.active_directory)
  • Re: Confused
    ... Administrators group so they are administrators of the child domain, ... By default the Domain Admins of a domain are member of the ...
    (microsoft.public.win2000.active_directory)
  • Re: 2003 share access issue!!!!!!
    ... Account John is a member of child domain called West.newtrader.co.uk which ... is the child domain of newtraders.co.uk. ... 2003 member server and John can access the share on this 2003 member ...
    (microsoft.public.windows.server.general)