Granting ‘Enterprise Admins’ administrative access to computers in a child domain

Because of the restrictions in group membership between a root domain containing ‘Enterprise Admins’ and a child domain containing ‘Domain Admins’, you cannot add ‘Enterprise Admins’ to the ‘Domain Admins’ group of a child domain. However, the same effect (to manage machines in the child domain from a root domain user account) is possible using a Computer group policy to add ‘Enterprise Admins’ to the local Administrators group in the same place that ‘Domain Admins’ would already have been added when the machine was joined to the domain.

In this example there is a root domain ‘vc.example.com’ and a child domain ‘uk.vc.example.com’. This group policy is created and applied in uk.vc.example.com.

1. Access the section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups
2. Add a group - 'Administrators'
3. In 'Members of this group', add 'UK\Domain Admins' and 'VC\Enterprise Admins'

One issue with this method is that it will clear out all other members of the local Administrators group, apart from the local machine’s ‘Administrator’ user account.

Screenshot of the GPMC editor:

Comments

  • very helpful information.

    Thanks

  • Leave a comment