If you've poked around in Active Directory, you may have noticed two super-powerful groups that seem pretty similar: Domain Admins and Enterprise Admins. The default Administrator account is a member of both. They seem fairly similar, but there are some important differences that I will illuminate here.
First, Enterprise Admins is only created in the root domain of the forest. (In my opinion, it should be called Forest Admins.) Users that are Enterprise Admins are Enterprise Admins no matter where they go in the forest. Domain Admins are only Domain Admins in their own domain (and possibly child domains? I'm not sure). The Domain Admins group is created in each domain. However, none of this is at all noticeable unless you have one or more sub-domains.
If you look at the list of local administrators (in the "Local Users and Groups" MMC snap-in) on a domain-joined workstation, you'll see the Domain Admins group listed, but not Enterprise Admins. That means Domain Admins can administer all domain machines, but Enterprise Admins can only deal with the Active Directory. (Every securable Active Directory object allows the system and Enterprise Admins (and to some degree the appropriate Domains Admins instance) full control.) Careful though, Enterprise Admins can easily add themselves to the Domain Admins list of any domain in the forest.
There is one more administrative/powerful group, simply named Administrators. It is created in each domain in a forest. Enterprise Admins, Domain Admins, and the default Administrator account are the default members. This group is actually used as the local administrator list on all domain controllers in the domain. That is, membership in this group allows users to log into domain controllers and UAC-elevate. (Unlike Server Operators, who can only log on to domain controllers. Also very much unlike normal users, who can only log on to Domain Computers, not ENTERPRISE DOMAIN CONTROLLERS, which are clearly really important because the group's security principal name is in all-caps.)
So, in summary, Enterprise Admins are powerful forest-wide but aren't by default counted as local admins on domain workstations.
No comments:
Post a Comment