W2k3 A Add Enterprise Admins to Domain Admins

By nwelch ·

Running a Windows 2003 Native AD. Have A forest with two trees. I am trying to add the Enterprise Admin group from the Forest domain into each of the Domain Admins group on the tree domains.

Doing this through standard AD Users and Groups MMC will not work. I can add enterprise admins into all the other standard domain groups (DHCP Admins, DNS Admins, Domain Users, Backup Operators, etc..), but not the Domain Admins.

Anyone know of a way to do this, or if MS did this by design in 2k3 (Swear I could do that in 2k with no probs)?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by CG IT In reply to W2k3 AD: Add Enterprise A ...

Enterprise admins have access to all domains where as domain admins have access to the domains only, not enterprise level.

so I'm confused as to why you want to add enterprise admins to domain admin security group. if anything you may want to delegate some of the enterprise admin roles to domain admins for administrative purposes, but not the other way around.

Collapse -

one reason that I found for this access

by mscobee In reply to why?

If your a software that is using the netbois name resolution and you need to have access to the child domain workstations, you need a single user access. Which means you need a cross domain user to make it work.. I too need to accomplish this task.

Collapse -

In Practice

by nwelch In reply to why?

In practice Enterprise Admins should have authority all the way down to sub-domains (Forest->Tree->Domain->Sub-Domain), however when I log in as a Enterprise Admin, I do not always get admin rights. Example, I can not add a user to Domain Admins of that Domain, yet if I log in with an account that does have Domain Admin, I can add away.

The other would be that when you join a computer to a domain, it adds Domain Admins to the local admin group. I do have a script that changes that, but it would be nice to not have to worry about a script running.

I have found that GPO and ADSI edits can change the privelages of groups for the domain and forest. So I am getting around this, just curious if others had found a way to do this.


Collapse -

Re: In Practice

by whiteb In reply to In Practice

Has anyone solved this yet? I have also found that Enterprise Admins can't log onto servers with administrative rights like domain admins.

Related Discussions

Related Forums