Enterprise Admin Group

[Michael]

Should an enterprise administrator in a native mode single forest root have
administrative access to member servers in domains in the same forest?

The enterprise admin has rights to the dc's in the domains in the forests,
but not member servers.

 

[Herb Martin]

I think not (by default) since it is automatically setup
in the beginning in Mixed mode (Domains had to start
here.)

In mixed mode group nesting isn't possible so with
both Enterprise Admins and Domain Admins being
global groups they fit quite nicely into the local
Administrators groups of each DC, but the individual
servers join like workstations.

These have not been taught to put Enterprise Admins
into the machine local Administrators -- and nothing
special happens at switch to Native mode.

You could of course (in Native mode) place your
Enterprise Admins into Domain Admins (probably
remove it from direct placement in Administrators).

 

[Herb Martin]

I was responding to this piece of the response


In Native mode Enterprise Admins is a Universal Group. Universal groups

can't be nested into Global Groups.

So it switches type automatically when you switch to native mode?

I overlooked that.

 

[Joe Richards [MVP]]

Yep. Enterprise Admins and Schema Admins switch to Universal groups when you change to Native Mode. It is hard coded
somewhere too because the GUI greys it out and doesn't allow the switch that you normally can do with Uni's.