Home / server / Questions / 943769
Accepted
Matt
Asked: 2018-12-11 19:20:38 +0800 CST

Enterprise Admins don't have admin permissions in child domain

  • 772

I've built a forest for testing consisting of a forest root domain and two child domains. Enterprise admins in the root domain don't seem to have admin privileges on member servers in the child domains.

In Active Directory Domains and Trusts the transitive trusts validate.

DCDiag shows no errors.

Repadmin /showrepl shows no errors and all succesful authentications.

DNS seems to be working fine. Zones are replicated to all AD integrated DNS servers in the forest.

NLTest shows everything seems to be fine:

enter image description here

But when I log in to a child domain member server as a forest root Enterprise Admin (which works fine), I don't get admin permissions:

enter image description here enter image description here

What else can I check?

active-directory

1 Answers

  1. Best Answer

    The default permissions are working as designed. Enterprise Admins do not receive any admin permissions on workstations or member servers.

    See https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory#enterprise-admins

    Enterprise Admins have no default rights on workstations or member servers.

    Domain Admins also inherit all rights and permissions granted to the domain's Administrators group and the local Administrators group on all systems joined to the domain.

    • 4