Setting up Permissions on Child Domain's Admin

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a parent domain called x.com & had to create a child domain child.x.com - Everything is working fine but the problem is by default the admin for child domain can make changes in AD on the parent domain.

I want to restrict the child domain admin to manage everything ONLY within the child.x.com & NOTHING in parent domain.

I have looked for KB Articles but they all poing to OU & delegation of control but that would not fit nor work into my environment. Any help will be appreciated.
 
By default the built-in administrator in the particular child domain only
have rights to the particular domain and not any trusted domains in the
forest including the parent domain. How ever make sure the child
administrator not are member of the Enterprise Admins group. Make sure they
are logged in to the child domain also.

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

netadmin said:
I have a parent domain called x.com & had to create a child domain
Click to expand...
child.x.com - Everything is working fine but the problem is by default the
admin for child domain can make changes in AD on the parent domain.
I want to restrict the child domain admin to manage everything ONLY within
Click to expand...
the child.x.com & NOTHING in parent domain.
I have looked for KB Articles but they all poing to OU & delegation of
Click to expand...
control but that would not fit nor work into my environment. Any help will
be appreciated.
 
Thanks Chriss3. I did what you had asked it did fix most of my issues. Is there any way where I can stop the lower child level admins to not eve see what users & groups are on the parent domain.
When they go on to domains & trust & click manage on the parent domain they can see all the settings could this be prevented?
 
This can be prevented yes with set the List Object Mode (We can do this by
set DS-Heuristics attribute to 0x01), But you should think two times before
you enable this functionality. This is not a default behavior because in a
forest this is expected scenario chose you want to share some information
and may gain access to some recourses across the domains that typical why
you trust domains. This will prevent such features how ever you can use the
VB Script below to set this mode of Active Directory.

More information can be found at:
http://www.windowsitlibrary.com/Content/667/04/2.html

---------------------------------------------------------------
' From the book "Active Directory Cookbook" by Robbie Allen
' Publisher: O'Reilly and Associates
' ISBN: 0-596-00466-4
' Book web site: http://rallenhome.com/books/adcookbook/code.html
' ---------------------------------------------------------------

' ------ SCRIPT CONFIGURATION ------
boolEnableListObject = 1 ' e.g. 1 to enable, 0 to disable
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://RootDSE")
set objDS = GetObject( _
"LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _
& objRootDSE.Get("configurationNamingContext") )
strDSH = objDS.Get("dSHeuristics")
if len(strDSH) = 1 then
strDSH = strDSH & "0"
end if
strNewDSH = Left(strDSH,2) & boolEnableListObject
if len(strDSH) > 3 then
strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 3)
end if

WScript.Echo "Old value: " & strDSH
WScript.Echo "New value: " & strNewDSH

if strDSH <> strNewDSH then
objDS.Put "dSHeuristics", strNewDSH
objDS.SetInfo
WScript.Echo "Successfully set list object mode to " & _
boolEnableListObject
else
WScript.Echo "List object mode already set to " & boolEnableListObject
end if



--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

netadmin said:
Thanks Chriss3. I did what you had asked it did fix most of my issues. Is
Click to expand...
there any way where I can stop the lower child level admins to not eve see
what users & groups are on the parent domain.
When they go on to domains & trust & click manage on the parent domain
Click to expand...
they can see all the settings could this be prevented?
 
Just want to add some info about the dsHeuaristic attribute, it's the third
flag that needs to be set to 1 (or above) the first two controls the ANR
search.

Regards,
/Jimmy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

child domain logging to parent domain 1
Child Domains and GPO's 5
domain admin group of parent domain is NOT a member domain admin g 4
Adding a user to to the Domain Admin Group of a child domain. 4
AD2008 Root privileges required to promote child DC? 3
Deny Permissions not effective on child OUs 6
Cannot Ping DC in child domain by dns 1
Child Domain Security 2

Back
Top