Domian Local into Domain Admins Group

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:%23Rp$...
> No. Just follow Ace's advice, it is simpler and better security. I was
> looking at it from the wrong perspective. Don't use the EA group.
>
> The administrators group is a domain local group. Say you would like all
> domain admins from the root of your domain to be admins in a child domain.
> Open up ADUC in the child domain and bring up the administrators domain
> local group, click add, click the Locations button and select the root
> domain to change the focus. Select the domain admins group and click ok.
> Now the domain admins group from the root should be a member of the domain
> local administrators group in the child domain.
>
> --
> Paul Bergson

I don't believe Cosmo read my response in it's entirety or may not entirely
understand the gest of it.

To add to your response Paul, and possibly to make it easier for Cosmo to
understand, in summary:

****
If you want an account to have EA, simply add the user or group (universal
or global) from any domain or trusted domain, to the 'Builtin\Adminstrators'
group in the forest root.
****

That's it.

Ace

Thanks for the claification. The method I'll use is:

Make the Forest root Domain Admins group a member of the various child
domains local administrators group.

For interest sake, what additional AD rights does the Enterprise Admin group
provide over the Domain Admin?

"Cosmo" <> wrote in message
news:A1EDE89C-F000-4FB0-8638-...
> Thanks for the claification. The method I'll use is:
>
> Make the Forest root Domain Admins group a member of the various child
> domains local administrators group.

Why do you want to do that?
Are you trying to give the Forest Root Domain admins access to the child
domains? The forest root domain admins ALREADY have the ability to
administer all child domains.

This is because the forest root Domain Admins is part of the EA group by
default.

Maybe I am missing the end results. Can you elaborate on your intentions?

>
> For interest sake, what additional AD rights does the Enterprise Admin
> group
> provide over the Domain Admin?

The forest Domain Admin is alread part of the EA. The EA has carte blanche
over the WHOLE forest.

Ace

The thing is it isn't recommended that anyone stay in the EA group for an
extended period of time, instead the recommendation is to provide local
admin access if needed on a daily basis. Of course I can't seem to find the
info related to this.

There are certain system configuration settings that only the Enterprise
Admin can perform, such as in the configuration of the naming context in AD.
I believe that within PKI there are things only the EA can do. I would just
hand out the least set of privileges and go from there.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [MCT]" <> wrote in message
news:...
> "Cosmo" <> wrote in message
> news:A1EDE89C-F000-4FB0-8638-...
>> Thanks for the claification. The method I'll use is:
>>
>> Make the Forest root Domain Admins group a member of the various child
>> domains local administrators group.
>
> Why do you want to do that?
> Are you trying to give the Forest Root Domain admins access to the child
> domains? The forest root domain admins ALREADY have the ability to
> administer all child domains.
>
> This is because the forest root Domain Admins is part of the EA group by
> default.
>
> Maybe I am missing the end results. Can you elaborate on your intentions?
>
>>
>> For interest sake, what additional AD rights does the Enterprise Admin
>> group
>> provide over the Domain Admin?
>
> The forest Domain Admin is alread part of the EA. The EA has carte blanche
> over the WHOLE forest.
>
> Ace
>
>
>
>

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:...
> The thing is it isn't recommended that anyone stay in the EA group for an
> extended period of time, instead the recommendation is to provide local
> admin access if needed on a daily basis. Of course I can't seem to find
> the info related to this.
>
> There are certain system configuration settings that only the Enterprise
> Admin can perform, such as in the configuration of the naming context in
> AD. I believe that within PKI there are things only the EA can do. I
> would just hand out the least set of privileges and go from there.
>
> --

That's actually stated in the AD design courseware, too. I will have to look
for an article on that. However, here's a good thread on it.
http://www.petri.co.il/forums/showthread.php?t=22311

Ace

I'll provide you with the full story. I have inherited an enterprise
consisting of 8 Forests and 12 domains, all managed under a very locked down
AD Delegation model (as per the MS Whitepaper on this topic). The Enterprise
and Domain Admins have basically no rights, as it is all AD role based. This
seems like a very good appraoch, but to have local admin rights on all
servers, currently I'm a member of 700 Windows security groups -> which is an
absolute nightmare to manage !!

My proposed solution is to bring back the standard Domain Admin groups
throughout the entire enterprise. Current the DA group is a member of
nothing, hence the reason it has no powers.

So, that's the reason I'm thinking of making the Forest root Domain Admins
group a member of the various child Domains Local Builtin\Administrators
group (i.e. Manage the entire enterprise just with our Forest root Domain
Admin accounts), rather then the current 'x' number of AD Role based user
accounts.

"Cosmo" <> wrote in message
news:F8B3F658-490F-4331-ACC6-...
> I'll provide you with the full story. I have inherited an enterprise
> consisting of 8 Forests and 12 domains, all managed under a very locked
> down
> AD Delegation model (as per the MS Whitepaper on this topic). The
> Enterprise
> and Domain Admins have basically no rights, as it is all AD role based.
> This
> seems like a very good appraoch, but to have local admin rights on all
> servers, currently I'm a member of 700 Windows security groups -> which is
> an
> absolute nightmare to manage !!
>
> My proposed solution is to bring back the standard Domain Admin groups
> throughout the entire enterprise. Current the DA group is a member of
> nothing, hence the reason it has no powers.
>
> So, that's the reason I'm thinking of making the Forest root Domain Admins
> group a member of the various child Domains Local Builtin\Administrators
> group (i.e. Manage the entire enterprise just with our Forest root Domain
> Admin accounts), rather then the current 'x' number of AD Role based user
> accounts.
>

So you are saying this is setup this way in all 8 forests? Then you will
have to do that for each forest. And I assume there are two-way forest
trusts between them? That requires some attention, too. By default the
forest root domain Domain Administrators group is part of EA. So that was
stripped. In a good security design, the domain administrator members would
be very limited, possibly to one or two people, so I don't know why this was
done that way in your infrastructure.If you wanted to lock it down further,
and I don't know exactly which whitepaper you read (you didn't post it), but
I would have opt for an empty root design, where only one or two admins have
access at the top level, and each division or locale with their own child
domain would have their own admins that have no access to the forest root
anyway, so this EA stripping action wouldn't have been required.

I bet other things were changed, as well, and you would have to carefully
weigh all changes and come up with a plan to get everything back to default,
if that is your end results requirements.

And thanks for posting this info. It shed a lot of light on why you were
asking your questions the way you did.

Ace

It's all coming together.

I'll reinstate the Domain Admin roles throughout the enterprise, as the
current sys admin model is not working. Plus, leave all the other AD Role
Based roles alone (eg. FnP Admins, IIS Admins, Sharepoint Admins, etc..)

I'll take your advise and implement the following:

Place only the three Enterprise Admin users within the Enterprise Forest
Root Domain Admin group and this GG will be a member of all the various lower
child domain's 'Builtin\Administrators' group.

Whereas, the lower Forest root Domain Admins GG for that Forest, which again
will be members of the lower domain's 'Builtin\Administrators' group.

PS: The current AD Role Based model is exactly per the MS W2K AD Delegation
Whitepaper.

Thanks Ace and Paul for your fantastic assistance. Much appreciate :-)

Cheers,
Cosmo

"Cosmo" <> wrote in message
news:CA835F63-16A9-4965-93AE-...
> It's all coming together.
>
> I'll reinstate the Domain Admin roles throughout the enterprise, as the
> current sys admin model is not working. Plus, leave all the other AD Role
> Based roles alone (eg. FnP Admins, IIS Admins, Sharepoint Admins, etc..)
>
> I'll take your advise and implement the following:
>
> Place only the three Enterprise Admin users within the Enterprise Forest
> Root Domain Admin group and this GG will be a member of all the various
> lower
> child domain's 'Builtin\Administrators' group.
>
> Whereas, the lower Forest root Domain Admins GG for that Forest, which
> again
> will be members of the lower domain's 'Builtin\Administrators' group.
>
> PS: The current AD Role Based model is exactly per the MS W2K AD
> Delegation
> Whitepaper.
>
> Thanks Ace and Paul for your fantastic assistance. Much appreciate :-)
>
> Cheers,
> Cosmo


The delegation papers have different scenarios. I can understand going with
their recommendation, but it surely complicates things, as you've seen. :-)

You are welcome. Let us know if you have any other questions. We'll be more
than happy to help.

Cheers!

Ace

Glad to help. :-)

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [MCT]" <> wrote in message
news:e1IV$...
> "Cosmo" <> wrote in message
> news:CA835F63-16A9-4965-93AE-...
>> It's all coming together.
>>
>> I'll reinstate the Domain Admin roles throughout the enterprise, as the
>> current sys admin model is not working. Plus, leave all the other AD Role
>> Based roles alone (eg. FnP Admins, IIS Admins, Sharepoint Admins, etc..)
>>
>> I'll take your advise and implement the following:
>>
>> Place only the three Enterprise Admin users within the Enterprise Forest
>> Root Domain Admin group and this GG will be a member of all the various
>> lower
>> child domain's 'Builtin\Administrators' group.
>>
>> Whereas, the lower Forest root Domain Admins GG for that Forest, which
>> again
>> will be members of the lower domain's 'Builtin\Administrators' group.
>>
>> PS: The current AD Role Based model is exactly per the MS W2K AD
>> Delegation
>> Whitepaper.
>>
>> Thanks Ace and Paul for your fantastic assistance. Much appreciate :-)
>>
>> Cheers,
>> Cosmo
>
>
> The delegation papers have different scenarios. I can understand going
> with their recommendation, but it surely complicates things, as you've
> seen. :-)
>
> You are welcome. Let us know if you have any other questions. We'll be
> more than happy to help.
>
> Cheers!
>
> Ace
>