How Enterprise Admins group works in multiple trees in same forest

Discussion in 'Active Directory' started by Shawn Conaway, Nov 9, 2006.

  1. Hello,

    I currently have two domains ( and in separate trees
    in the same forest. is the forest root and does not have any
    significant objects or users in the domain.

    I need to create two new domains in the forest. I am choosing between a
    peer root architecture (which the two domains are now) and a empty root
    architecture with being the empty root for the new domains.

    The ultimate goal is for a centralized group of Enterprise Admins to have
    the ability to administer all the domains when needed, but for daily
    administration of the domains to be done by the individual Domain Admins.

    If I add additional domains into the forest as peers, do I have to add the
    Enterprise Admins group into the Domain Admins group for each peer domain?
    Is the Enterprise Admins group automatically in the Domain Admins group for
    child domains? Is there anything preventing the Domain Admins in the peer
    domains from removing Enterprise Admins from their domains?
    Shawn Conaway, Nov 9, 2006
    1. Advertisements

  2. I won't go into it, but have a quick look at the resource kit's deployment
    guide book designing and deploying directory and security services to be
    sure you actually need all these domains. The recommendation these days is
    keep it simple, which means always start off with a single domain forest and
    go from there with the businesses requirements.
    No, and you can't anyway as Domain Admins is a GG and EA a UG.

    No, EA has full control over all objects in the directory, there's no need
    to add it to any groups.

    Nope. Although it's also impossible for them to stop an EA from taking back
    control. Hence the information about security boundaries being the forest,
    and using domains as security and administrative boundaries being week
    arguments for a multi-domain forest.
    Paul Williams [MVP], Nov 9, 2006
    1. Advertisements

  3. The only admins you have in any of the domains should be the same folks
    who are enterprise admins. The domain is not a security boundary and if
    there is any thought that any of the other domains (including forest
    root) are safe from the DAs from the various domains it is incorrect.
    This has been discussed over and over again in these groups.

    You should have just a couple (3-5) of Enterprise Admins and those are
    the same people that are Domain Admins in all of the domains in the
    forest. The builtin groups other than that such as accops, srvops, etc
    should not be used and all other access is through proxied tools or
    provisinion (preferred) or direct delegation of specific attributes (no
    full control, no create objects, etc).

    As for the structure in terms of child domains and additional trees,
    etc. None of that has any bearing on the access rights of Enterprise
    Admins. I would recommend not using a multiple tree forest as it tends
    to cause more trouble than it is worth and quite honestly I haven't
    heard a single good reason to have one, the reasons I have heard to date
    have all fallen into several equally stupid categories

    1. Political
    2. People don't understand security
    3. Some stupid app only works that way.
    4. Some other uniformed misc reason.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], Nov 10, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.