Confused

C

Chris

Ok here is the deal, I am setting up a parent (forest
root) and 3 child domains. I am now having security
issues when I log in on a child domain server with an ID
from the forest root that is an enterprise admin. All of
my organizations user ids will eventually reside in the
forest root and the the 3 domains are resources.
Enterprise admins should have god rights thoughout the
forest or am I missing something.

Thanks
Chris
 
C

Chriss3 [MVP]

Ensure you have selected the root domain when you logon as administrator.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
G

Guest

I do select the root domain, and I can login, I just do
not have "god" rights the the servers in the child
domains. I check the domain admins group on a dc in child
domain 1 and it only shows local (meaning child domain
ids) users in the domain admins grp, just administrator.
I attempt to go to the root domain and then select a
global group there and it says their are no selections
available.

Thanks
 
S

Sergio Fonseca [MVP]

Hi,

By default, the members of the Domain Admins group are "administrators" of
the member servers of domain.
Who do you have in the domain "domain admins" and in the member servers
local administrators group ?

Qualquer sugestão deve ser testada antes de aplicada - www.gupade.org
 
C

Chris

I only have administrator right now, inside the child
domain I am fine. It is when I log into the child domain
with the a forest root enterprise admin id that I have
problems, my understanding is that enterprise admins have
god rights to all things in all child domains.

Thanks
 
S

Sergio Fonseca [MVP]

Hi,



By default the Enterprise Admins are member of any Child Domain
Administrators group so they are administrators of the child domain, not
(immediately...) to their resources.

By default the Domain Admins of a domain (like the child) are member of the
member servers and computers administrators group, not the domain
administrators group.



With this settings a Enterprise Admin member can add him self to the
required groups so it can administer the Child Domain resources (servers,
computers, etc) but is not able to do it immediately.


Qualquer sugestão deve ser testada antes de aplicada - www.gupade.org

I only have administrator right now, inside the child
domain I am fine. It is when I log into the child domain
with the a forest root enterprise admin id that I have
problems, my understanding is that enterprise admins have
god rights to all things in all child domains.

Thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Remove the Root Domain in the Forest 5
Mixing Enterprise and Standard 2
enterprise admins in single domain question 6
root domain lost 2
AD design question....again 4
Forest Separation 2
Problem removing metadata for forest root DCs on DC for second Domain 4
Forest root restoration after domains physically relocated 1

Top