AD, Ent. Admin rights in child domain

T

Tony Cooke

All,

Maybe you can help me out.

I have a root AD domain with about 4 DC's. There is also a child domain
which has 2 DC's.

Members of the Enterprise Admins group in the parent domain have 0 rights in
the child domain. What gives?

Also, when I try to set the 'managed by' tab for the domain to a user in the
parent domain, I get an error "The following Active Directory error
occurred: The name reference is invalid."

AND - Wait! Theres more!

I can't add users from the parent domain to groups in the child domain.
Users and Groups from the parent are not an available option.


Thanks for any advice on my woes.

T
 
O

Olli

Are you trying to add users from the parent domain to global groups in the
child domain? If so, this will not work as global groups can only contain
entries from the local domain. Use a local or universal group.
 
T

Tony Cooke

Okay - so I could create a global group in the child domain, make it a
member of a local group in the child domain, and add parent domain users to
the new global goup.... let me try.

T
 
N

Neil Ruston

The domain is the security boundary (although for strict
boundaries, one should deploy forests (another story)).

As such, Ent Admins are not domain admins in other domains
BY DESIGN. They have total control over forest-wide
entities such as sites and subnets but not domain objects
outside of their own domain.

Neil
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Strange membership issues 4
Child Domains and GPO's 5
Child Domain Security 2
Problem removing metadata for forest root DCs on DC for second Domain 4
Help with failed child DC! 1
Adding user to Child Domain Group 4
domain admin group of parent domain is NOT a member domain admin g 4
Creating Multiple Users in Child Domain 2

Top