Re: Domian Local into Domain Admins Group

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


The thing is it isn't recommended that anyone stay in the EA group for an
extended period of time, instead the recommendation is to provide local
admin access if needed on a daily basis. Of course I can't seem to find the
info related to this.

There are certain system configuration settings that only the Enterprise
Admin can perform, such as in the configuration of the naming context in AD.
I believe that within PKI there are things only the EA can do. I would just
hand out the least set of privileges and go from there.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [MCT]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ujrTneYbKHA.5728@xxxxxxxxxxxxxxxxxxxxxxx
"Cosmo" <Cosmo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A1EDE89C-F000-4FB0-8638-DD66F3413D95@xxxxxxxxxxxxxxxx
Thanks for the claification. The method I'll use is:

Make the Forest root Domain Admins group a member of the various child
domains local administrators group.

Why do you want to do that?
Are you trying to give the Forest Root Domain admins access to the child
domains? The forest root domain admins ALREADY have the ability to
administer all child domains.

This is because the forest root Domain Admins is part of the EA group by
default.

Maybe I am missing the end results. Can you elaborate on your intentions?


For interest sake, what additional AD rights does the Enterprise Admin
group
provide over the Domain Admin?

The forest Domain Admin is alread part of the EA. The EA has carte blanche
over the WHOLE forest.

Ace






.

Relevant Pages

  • Re: Prevent Admin Logon to RWW
    ... 'Administrator' does not have RRAS rights, if I wish to VPN to a server I do ... OR since the introduction of RWW RDP Proxy I would prefer ... My preference is not to lock out the domain admins from RWW, ... you can still do remote admin work ...
    (microsoft.public.windows.server.sbs)
  • Re: Domain Admins removed from local admin group
    ... You can use restricted groups to fix the administrators on the local machines. ... Even if the user is local admin and removes the domain admins after the next GPO refresh they will be in again. ...
    (microsoft.public.windows.server.general)
  • Re: List Level Security problem - Please help!
    ... If I installed and created the top level site and I'm in the Domain Admins ... I'm listed as the portal server admin. ... this setting is only supported on WSS not SPS but I have played with it ... I created a list called Security Events ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Admin Shares
    ... computer, click Start->Run, type \\<The local computer name>\C$. ... workgroup, domain admins doesn't exist)? ... > Subject: Admin Shares ...
    (microsoft.public.windowsxp.security_admin)
  • Re: smtp AD site Link versus IP AD Site Link
    ... the Enterprise admin group, i will do both, also i am testing to increase the ... bandwidth to see if this help relief the problem, could you give me an idea ... about how to test if the network connection is suitable for AD replication ... > EA only gives you so many permissions; domain admins is what gives you ...
    (microsoft.public.win2000.active_directory)