enterprise admins in single domain question

[barabba72]

Hi all,

in a single out of the box Windows 2003 AD Domain (no root or child
domains), I noticed that domain admins can freely add themlselves into
the enterprise admin groups.

is this normal ? Actually, in a forest made of a single domain, where's
the difference between enterprise and domain admins ?

Thanks

 

[Andrei Ungureanu]

this behavior is normal. Enterprise Admins (from the root domain) has Full
Control in all domains of the forest (is member of Administrators group in
all domains of the forest). Domain Admins has control only in local domain
(in your case - root domain).

 

[barabba72]

Thank you Andrey for your answer.
I feel my question is still unanswered though. Is it normal that in a
single domain, domain admins can add themselves to the enterprise
admins group ?

Regards

 

[Cary Shultz [A.D. MVP]]

Yes, as Andrei already answered!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Joe Richards [MVP]]

Any admin on any domain if they know what they are doing can add themselves to
Enterprise Admins for the forest. The people who are domain admins should also
be the enterprise admins because they can effectively gain that access any time
they want.

 

[barabba72]

Joe,

I don't get this one. A domain admin of a child domain cannot add
himself to an enterprise group hosted on a higher (root) domain. Right
?

Thanks !

 

[Joe Richards [MVP]]

Yes, a domain admin, or even a server operator of a child domain can add
themselves to enterprise admins.

I will not explain the details how, but I have done it on multiple occasions to
help companies who ended up in bad ways.

This is why only people who are domain admins should have rights on domain
controllers and they should have the rights on all DCs in the forest. The domain
IS NOT a security boundary. It is a replication and policy boundary.