AD, Ent. Admin rights in child domain

[Tony Cooke]

All,

Maybe you can help me out.

I have a root AD domain with about 4 DC's. There is also a child domain
which has 2 DC's.

Members of the Enterprise Admins group in the parent domain have 0 rights in
the child domain. What gives?

Also, when I try to set the 'managed by' tab for the domain to a user in the
parent domain, I get an error "The following Active Directory error
occurred: The name reference is invalid."

AND - Wait! Theres more!

I can't add users from the parent domain to groups in the child domain.
Users and Groups from the parent are not an available option.


Thanks for any advice on my woes.

T

 

[Olli]

Are you trying to add users from the parent domain to global groups in the
child domain? If so, this will not work as global groups can only contain
entries from the local domain. Use a local or universal group.

 

[Tony Cooke]

Okay - so I could create a global group in the child domain, make it a
member of a local group in the child domain, and add parent domain users to
the new global goup.... let me try.

T

 

[Neil Ruston]

The domain is the security boundary (although for strict
boundaries, one should deploy forests (another story)).

As such, Ent Admins are not domain admins in other domains
BY DESIGN. They have total control over forest-wide
entities such as sites and subnets but not domain objects
outside of their own domain.

Neil