How to Restrict Enterprise Admins From Child Domain - TechNet Articles - United States (English) - TechNet Wiki

Applicable To : Windows Server 2003, 2008, 2008 R2 and 2012.

Disclaimer : To know how only !

Setup : AD.TESTLAB.COM and PROJECT.AD.TESTLAB.COM

Requirement : Restrict Enterprise Admins from Child Domain ?

Details:&fiji-r4">

When child domain is introduced, by default Enterprise Admins group is added to Child Domain\Administrators group (Builtin local Security group). In case, if you wish to restrict Enterprise Admins from managing child Domain, follow the steps below.

Remove Enterprise Admins group from Child Domain\Administrators group (Builtin local Security group).

Remove Enterprise Admins from DNS

Remove Enterprise Admins group from GPMC, though that group has Read only permissions !

Remove Enterprise Admins group from NTDS settings for each child DC available in Active Directory Sites and services.

P.S. To perform aforementioned tasks, your ID needs to be member of Child Domain\Administrators or Child Domain\Domain Admins group or you should log on to child domain as Child Domain\Administrator account.

- End of the article -

See Also :

Enterprise administrator and Child domain

Repercussions when removing Enterprise Admins

C 2015 Microsoft Corporation. All rights reserved.

Terms of Use

Trademarks

Privacy Statement

[Copied from] v5.6.915.0

This page has been extacted by Pete Laker, Microsoft Azure MVP & Microsoft IT Implementer

X