Enterprise Admin Rights in a Child Domain

[PHead2]

I created a child domain and am a member of the 'Enterprise Admins' group.

My problem is that I always get 'access denied' messages when trying to remotely manage computers in the new child domain. It seems that the Enterprise Admins group does not have administrative rights on any of the child domain's computers. I cannot access these machines through Terminal Services anymore (using the Enterprise Admin account).

Is it possible to add the Enterprise Admins group to the child domain's Domain Admins group? When I try to select objects from the parent domain I am only allowed to select contacts or 'Other Objects'.

I would also like a user in the parent domain to be a Domain Admin in the child domain yet I cannot pick any accounts from the parent domain to add. What don't I know/am I missing here?

 

[GrnEyedLdy]

Are you running in Mixed or Native mode?

Patty

 

[PHead2]

Native mode in both domains.

 

[GrnEyedLdy]

"Is it possible to add the Enterprise Admins group to the child domain's Domain Admins group?"

The Enterprise Admin is added, by default, to the Domain administrators group in all child domains and has unrestricted access to all objects in the Forest.

There must be more to this.


Patty

 

[tubbaguts]

If your are still having problems, log into the forest root domain, open AD User and Comp, right click the root domain and choose "Connect to Domain", slect the child domain. Go to the built in OU and open the "Administrators" group. Add the Ent Admin group there.

 

[bake33]

i have just set-up a child domain in (abc.com) (child.abc.com)when i try and log on to the child box i am getting error about "system cannot log you on" if the users are in the parent and we have a trust relationship[ then why can`t i log into the child domain. Thanks in advance for the hekp

 

[tubbaguts]

You can log in a machine that is a member of a trusted domain but you have to select the domian that your account is in. For example: my user account (child\user) has server operator rights in the parent domain. So when I logon to the domain controller for the parent domain i do the following:

username: user
password: ****
domain: child (available choices are parent or child)

When the administrator from the parent logs onto the child domain I do the following:

username: administrator
password: *********
domain: parent

When I do this I am loging in to the domain controller of the child domain with full authority to the entrie forest since my account resides in the parent (root) domain. You can logon to any machine in the forest you have access to but you have to select the domain where your user account resides

 

[GrnEyedLdy]

Something you may already know, but...

You need administrative rigts to log onto a Domain controller, for security reasons. Of course your user account can also can be given the specific right to log on within a GPO without being part of the Admin group.

Also keep in mind that just because you are an Admin in one domain, does not make you an Admin in another.


Is the machine in question a Domain Controller?

What account are you using to try to log on?

What is the entire error message?

Patty

 

[PHead2]

Well, I figured that by being an Enterprise Admin I would automatically have domain admim permissions in every child domain.

I guess I have to have an account in each domain which is a Domain Admin in order to administer the entire domain...

 

[GrnEyedLdy]

No, the Enterprise Administrator account should work for you in any child domain as, the Enterprise Admin is added, by default, to the Domain administrators group in all child domains and has unrestricted access to all objects in the Forest.



Patty

 

[Girona]

Has anyone been able to help out PHead2 administrate more than one domain using only one account. I'd love to find out the solution.

The catch is that the Enterprise admin group is only nested into the administators group on all child domains, and not the Domain Admins group. And since Global groups (domain admins) will only accept other local domain Global groups, how do you create an enterprise group that can logon to all member servers in all domains?

 

[GeneralNerd]

Have you tried making the account part of the Schema Admins group?

 

[Girona]

No I haven't tried making them part of schema admins. What would that give me? I didn't think Schema admins is nested anywhere.


The question is how to create a single-sign-on support solution that will automatically nest a suppport user in the domain admins group of every domain to give you the ability to manage all memeber servers in all domains automatically with out having more than one user account and have to manually nest a group into each member server.

 

[GrnEyedLdy]

If the account is a member of the Enterprise Adminsistrators group you should not have a problem.

Straight from Tech Net,

Enterprise Admins (only appears in the forest root domain)

"Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution."

We are only talking about one Forest, right?

Patty

 

[Girona]

What you say is true that the Ent. Admins have full controll of the all the domains. And yes they are even nested into the Administrator groups on all domains. However, this only gives automatic acess to administrate the Domain Controller itself and doman administration. It does not automatically make you a local administrator on all member seervers.

Ent. Admins are not automatically domain admins. The "domain admins" group is the only group that gets automatically nested in all member server Local Administrator groups therefor the only group that gets nested into all the member servers automatically.