Access Denied: Controlling Enterprise Administrators Access to a Child Domain

I'm planning my company's upgrade to Windows 2000 and Active Directory (AD). My organization—the judicial branch of the state government—will be moving into an existing AD forest of the executive branch of the state government. (A major reason for the change is an upgrade to Microsoft Exchange 2000 Server and the need for a Global Address List—GAL.) Because the judicial branch is a separate branch of the government, I need to prevent the Enterprise Administrators group from gaining access to the judicial branch's systems. Can I remove the Enterprise Administrators group from the child domain's Domain Administrators group?

You're right that in certain situations, you must be part of a larger forest but also independent of the Enterprise Administrators group. The Enterprise Administrators group is a member of the local Administrators group in each domain in the forest, but the answer is more complicated than simply deleting the Enterprise Administrators group from your local Administrators group. Most objects in AD—including users, groups, computers, Group Policy Objects (GPOs), and organizational units (OUs)—grant Enterprise Administrators significant authority.

However, a quick and definite fix to the problem that might work for you is to explicitly deny the Enterprise Administrators group the Access this computer from the network right on all the domain controllers (DCs) in your domain. First, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the Domain Controllers OU, select Properties, then click the Group Policy tab. Edit the Default Domain Controllers Policy GPO, then navigate to the \computer configuration\windows settings\security settings\local policies\user rights assignments folder. Then, in the details pane, double-click Deny access to this computer from the network and add the Enterprise Administrators group. Be aware that this measure prevents members of the Enterprise Administrators group from gaining access to any Win2K resources on your DCs, including shared folders and event logs.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.