Many people have asked me this question on “What is the difference between an Enterprise Admin and a Domain Admin group in an Active Directory environment?” for an example the Enterprise Admin group have complete control of the entire forest (all the domains in the forest) where as the Domain Admins have access only to their specific domain.
The following table is an extract from TechNet
|
Group |
Description |
Default user rights
|
|
Domain Admins |
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution. |
Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
|
|
Enterprise Admins (only appears in the forest root domain) |
Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution. |
Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
|
Most of the IT guys misunderstands the roles of these user groups and their user rights in a domain environment and a forest environment. Now I hope you have a pretty clear picture on what members of these two groups can do.
Akfash's Weblog 
This might be a silly question, but can enterprise admins add, change and delete domain accounts without being a domain admin on one of the domains (e.g., strictly by virtue of being an enterprise admin)?
Yes, as the enterprise admin they can do it for anydomain within the forest. 🙂
PS: It’s not a silly question
Hi,
nice summary. And what would you suggest for administering trusted domain(s) in different forests?
I mean, how would you configure groups, if you want an user which is Domain Admin (or Enterprise Admin) for DomainA to be Domain Admin (or Enterprise Admin) for trusted DomainB. Les’s assume a two way trust with forest-wide authentication in DomainB forest and selective authentication in DomainA forest.
Thanx for you answer,
Dawid
thank you. now i have clear picture abt domain admins n enterprise admins
So, an Enterprise Admin would have more rights then a Domain Admin. Just to make sure I’m clearly understanding. A Domain Admin only has access to a single domain and the Enterprise Admin has access to all Domains within the Forest. So, the Enterprise Admin would be the All powerful admin
So, an Enterprise Admin would have more rights then a Domain Admin. Just to make sure I’m clearly understanding. A Domain Admin only has access to a single domain and the Enterprise Admin has access to all Domains within the Forest. So, the Enterprise Admin would be the All powerful admin
Could you please post the difference between Built In > Administrators vs Domain Admins
Thanks for Sharing the difference, really its very clearly.
Spot on with this write-up, I actually believe that this site needs
much more attention. I’ll probably be back again to read through more, thanks for the info!
Can I simply say what a comfort to uncover someone that truly understands what they’re discussing on the internet. You actually realize how to bring an issue to light and make it important. More people ought to look at this and understand this side of your story. I was surprised you are not more popular since you surely possess the gift.
Hmm is anyone else having problems with the pictures on this blog loading?
I’m trying to find out if its a problem on my end or if it’s the blog.
Any feed-back would be greatly appreciated.
It’s nearly impossible to find experienced people about this subject, but you sound like you know
what you’re talking about! Thanks
Thanks 🙂 appreciate your comment
If you want to increase your know-how only keep visiting this web page and be
updated with the newest news posted here.
Right here is the right web site for everyone who wants
to find out about this topic. You know a whole lot its almost hard to argue with you
(not that I personally would want to…HaHa). You certainly put a fresh spin on a topic that’s been written about for many years.
Excellent stuff, just excellent!