Domain Admins vs. Enterprise Admins

Posted: August 30, 2008 in Active Directory, Windows Server, Windows Server 2012 R2
Tags: , ,

Many people have asked me this question on “What is the difference between an Enterprise Admin and a Domain Admin group in an Active Directory environment?” for an example the Enterprise Admin group have complete control of the entire forest (all the domains in the forest) where as the Domain Admins have access only to their specific domain.

The following table is an extract from TechNet

Group

Description

Default user rights

 

 

 

 

 

 

 

 

 

Domain Admins

Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

 

 

 

 

 

 

Enterprise Admins (only appears in the forest root domain)

Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

 

Most of the IT guys misunderstands the roles of these user groups and their user rights in a domain environment and a forest environment. Now I hope you have a pretty clear picture on what members of these two groups can do.

 

 

About these ads
Comments
  1. huvanile says:

    This might be a silly question, but can enterprise admins add, change and delete domain accounts without being a domain admin on one of the domains (e.g., strictly by virtue of being an enterprise admin)?

    • Akfash Latibu says:

      Yes, as the enterprise admin they can do it for anydomain within the forest. :)

      PS: It’s not a silly question

  2. Dawid says:

    Hi,

    nice summary. And what would you suggest for administering trusted domain(s) in different forests?
    I mean, how would you configure groups, if you want an user which is Domain Admin (or Enterprise Admin) for DomainA to be Domain Admin (or Enterprise Admin) for trusted DomainB. Les’s assume a two way trust with forest-wide authentication in DomainB forest and selective authentication in DomainA forest.

    Thanx for you answer,
    Dawid

  3. bin says:

    thank you. now i have clear picture abt domain admins n enterprise admins

  4. Anonymous says:

    So, an Enterprise Admin would have more rights then a Domain Admin. Just to make sure I’m clearly understanding. A Domain Admin only has access to a single domain and the Enterprise Admin has access to all Domains within the Forest. So, the Enterprise Admin would be the All powerful admin

  5. Marty says:

    So, an Enterprise Admin would have more rights then a Domain Admin. Just to make sure I’m clearly understanding. A Domain Admin only has access to a single domain and the Enterprise Admin has access to all Domains within the Forest. So, the Enterprise Admin would be the All powerful admin

  6. Anonymous says:

    Could you please post the difference between Built In > Administrators vs Domain Admins

  7. Anonymous says:

    Thanks for Sharing the difference, really its very clearly.

  8. Spot on with this write-up, I actually believe that this site needs
    much more attention. I’ll probably be back again to read through more, thanks for the info!

  9. Can I simply say what a comfort to uncover someone that truly understands what they’re discussing on the internet. You actually realize how to bring an issue to light and make it important. More people ought to look at this and understand this side of your story. I was surprised you are not more popular since you surely possess the gift.

  10. Hmm is anyone else having problems with the pictures on this blog loading?
    I’m trying to find out if its a problem on my end or if it’s the blog.
    Any feed-back would be greatly appreciated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s