Hi Jay- I'm going to forego explaining how to do this here, though there was another rather detailed discussion on the activedir.org DL recently and I think some folks were pretty clear about the "how".
I was including the root domain or any domain in the forest. Whether you have two domains or seventeen domains, a domain admin in any one of those domains could do something to another domain if he/she wanted to (and knew how). The best practice takeaway here is that you should have a small number of domain admins for your whole forest (half a dozen or less is a typical number in many large enterprises I've worked at). Those half a dozen people should be the same in every single domain. Your domain admins are people who are a trustworthy bunch. Domains aren't security boundaries like they were in NT4 (or assumed to be in the early days of 2000 -> hence root domains for separating roles), forests are. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian -----Original Message----- From: Jay Kulsh [mailto:[email protected]] Sent: Friday, February 27, 2009 9:13 PM To: NT System Admin Issues Subject: Scope of Domain admins of Child domains Brian, You wrote "A domain admin in any one domain in a forest can easily be a domain admin in every domain if [s]he wants to be." Could you please explain this? Perhaps you are including the root/parent domain also. In any case I will like to know how is it possible? (I have modified the subject of the thread a bit.) Jay ___ Jay Kulsh So. Pasadena, CA ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
