Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applicable To:
Windows Server 2003, 2008, 2008 R2 and 2012.
Disclaimer:
To know how only!
Setup:
AD.TESTLAB.COM
and
PROJECT.AD.TESTLAB.COM
Requirement :
Restrict Enterprise Admins from Child Domain ?
Details:
When the child domain is introduced, by default Enterprise Admins group is added to the Child Domain\Administrators group (Builtin Local Security group). In case, if you wish to restrict Enterprise Admins from managing child Domain, follow the steps below.
Remove Enterprise Admins group from Child Domain\Administrators group (Builtin Local Security group).
Remove Enterprise Admins from DNS
Remove Enterprise Admins group from GPMC, though that group has Read-only permissions!
Remove Enterprise Admins group from NTDS settings for each child DC available in Active Directory Sites and services.
P.S. To perform a for mentioned tasks, your ID needs to be a member of Child Domain\Administrators or Child Domain\Domain Admins group or you should log on to child domain as Child Domain\Administrator account.