My apologies if this seems basic and/or silly.
Aside from creating new domains or modifying the schema, why would an admin need access to the root dc of a forest(the schema, domain namming master)? furthermore, why would an admin in a child domain need enterprise admin privilges? I only ask because we had issues with our test DR run wherein we didn't have access to the root domain and/or a test root domain vmware'd on a laptop and it ended miserably. i am in the process of convincing the higher ups in my corp of letting our IT dept have enterpise admin access. i'd like to make a case for us as to why we would need this accont with concrete examples(aside from the DR one). ones that a semi tech aware CIO could relate to. What other compelling reasons would one need these rights for in day to day(or not so day to day) AD administration? we are a multi-domain(14) win2k forest in mixed mode with exchange2k in native mode. Thank you in advance for any assitance. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
