When child domain is introduced, by default Enterprise Admins group is added to Child Domain\Administrators group (Builtin local Security group). In case, if you wish to restrict Enterprise Admins from managing child Domain, follow the steps below.
Remove Enterprise Admins group from Child Domain\Administrators group (Builtin local Security group).
Remove Enterprise Admins from DNS
Remove Enterprise Admins group from GPMC, though that group has Read only permissions !
Remove Enterprise Admins group from NTDS settings for each child DC available in Active Directory Sites and services.
P.S. To perform aforementioned tasks, your ID needs to be member of Child Domain\Administrators or Child Domain\Domain Admins group or you should log on to child domain as Child Domain\Administrator account.
- End of the article -
See Also :
Enterprise administrator and Child domain
Repercussions when removing Enterprise Admins