How to Override child domain using Enterprise Admin

  • Thread starter Thread starter Stanser
  • Start date Start date
S

Stanser

HI,

We have a root abc.com domain and a child child.abc.com domain. Somehow the
Enterprise Admin is unable to change the security settings on the child
domain or add itself to the child.abc.com Domain Admin group. I can't take
ownership either, it said I don't have permission and I can view only.

Any advise on how do I regain admin control back?

Thanks

Stanser
 
Depending on what powers you do have left you could try to use Group Policy
restricted groups at the domain level to add the enterprise admins group
back to the administrators group for that domain. If you try that be sure
that you also include the domain admins group for that domain in the
restricted groups. See the link below on the use of restricted groups if you
need more info.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp

Another possibility is to use dsacls to change permissions on Active
Directory objects. You can use with the /s switch to change AD object
permissions to default permissions. You could do it for the whole domain,
user, group, OU, etc. Somebody in that domain may have tried to lock you out
on purpose for whatever that is worth. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;281146
http://support.microsoft.com/?id=294257 -- examples of dsacls.
 
You are sure that you are not confusing inability to add
EntAdms to DomAdms (which is not possible) with a
security/permissions issue? EntAdms should be in the
domain's Administrators group, not the DomAdms group.
 
Administrators - FULL
Authenticated Users
ENTERPRISE DOMAIN CONTROLLERS - replication only
System
Everyone - read

Enterprise Admin is not in any local domain Admin group at all.
 
I did try to use DSACL but access denied and I logged in as Ent Admin

Haven't tried Group Policy restricted groups at the domain level.
 
Back
Top