Active Directory Domain Admin Rights

Here is my AD structure:
[code:1]
company.local (Forest Root)
|---corp.company.local (Parent Domain)
----|----bus.corp.company.local (Child Domain)
----|----dev.corp.company.local (Child Domain)
----|----mkt.corp.company.local (Child Domain)
[/code:1]
Okay, so the question is, does a Domain Admin (not an enterprise admin) have Domain Admin rights on the 3 child domains or does it have to be specifically granted?

I realize this AD architecture sucks but its beyond the point of changing right now. This question was raised because of some SOx requirements.

Hmm, I think the answer is no, but I'm being disagreed with by a couple of my colleagues here. My opinion comes from these quotes:

Members of the Domain Administrators group are granted full control access to all objects in a domain. If a portion of your organization does not want its data to be comprised by members of the Domain Administrators group, you can create another domain and give administrative control to those members of the organization

and

Any administrative rights granted to groups and users within a domain are only valid within that domain. For example, the Domain Administrators group by default is granted Full Control access to the domain. Members of that group cannot administer other domains where they are not in the Domain Administrators group

(Quotes from 'Describing Active Directory Components' By Neall Alcott. Sample Chapter is provided courtesy of Sams. Date: May 17, 2002 www.samspublishing.com/articles/article....p=26896&seqNum=3 )

However my colleagues are arguing that since a two-way transitive trust is automatically created between the parent and child domains when you create a child domain then that negates my arguments!

Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its parent domain.

Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.

Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest. For more information, see Authentication protocols overview.

The diagram displays that all domains in the Domain A tree and all domains in the Domain 1 tree have transitive trust relationships by default. As a result, users in the Domain A tree can access resources in domains in the Domain 1 tree and users in the Domain 1 tree can access resources in the Domain A tree, when the proper permissions are assigned at the resource.

From technet2.microsoft.com/WindowsServer/en/...4e5ac007ba41033.mspx

I think the clue is in the bit I underlined - the resources have to be defined. So they need to be added into the Administrators group first

However I may be wrong!!! We will consult the Jedi Council when they arrive in the office for confirmation, unless anyone out there can settle this first

Hi

Myself and the bishop took ages to come up with his reply. We think we have the right answer. At least that's what we could find on tech net. But like he said, we shall await the rest of the Jedi Council and debate the question there. I'm only a Padawan at the moment, and The Bishop is my instructor, or normally I have to abide by his decisions (normally :lol: )

Domains

The Windows 2000 or Windows Server 2003 domain is an administrative boundary. Administrative rights do not flow across domain boundaries, nor do they flow down through a Windows 2000 or Windows Server 2003 domain tree.

For example, if you have a domain tree with domains A, B, and C, where A is the parent domain of B and B is the parent domain of C, users with administrative rights in domain A do not have administrative rights in B, nor do users with administrative rights in domain B have administrative rights in domain C. To obtain administrative rights in a given domain, a higher authority must grant them. This does not mean, however, that an administrator cannot have administrative rights in multiple domains; it simply means that all rights must be explicitly defined.

Source: support.microsoft.com/kb/310997/EN-US/

i would also agree on bishop, rockape, and dead-neuron's opinions also based on what i have read so far:

What Are Domains?

Domains are logical directory components that you create to manage the administrative requirements of your organization. The logical structure is based on the administrative requirements of an organization, such as the delegation of administrative authority, and operational requirements, such as the need to control replication. In general, domains are used to control where in the forest replication of domain data occurs and organizational units are used to further organize network objects into a logical hierarchy and delegate control to appropriate administrative support personnel.

Domains can also be defined as:
• Containers within a forest
• Units of Policy
• Units of Replication
• Authentication and Authorization Boundaries
• Units of Trust

Each domain has a domain administrators group. Domain administrators have full control over every object in the domain. These administrative rights are valid within the domain only and do not propagate to other domains.

Domains as Units of Policy

A domain defines a scope or unit of policy within a forest. Some policy settings apply only to the scope of a domain, that is, the policy settings are domain-wide. Account policies, for example, apply uniformly to all user accounts in the domain. Although a domain is not the smallest unit of policy that can be assigned (policies can be assigned to organizational units) it is the most commonly used unit when splitting administrative duties between departments and subsidiaries located in different geographical locations. As shown in the following figure, you might need to create multiple domains to provide for policy variance among domains throughout a forest (please refer to the source for the figure). A domain is also considered a unit of access control, in that it can be used for business groups requiring general autonomy.
[/quote]


domains still have their uniqueness set apart from other domains even within a forest and are set upon by boundaries which are explicitly defined.

i would also agree on bishop, rockape, and dead-neuron's opinions also based on what i have read so far:

What Are Domains?

Domains are logical directory components that you create to manage the administrative requirements of your organization. The logical structure is based on the administrative requirements of an organization, such as the delegation of administrative authority, and operational requirements, such as the need to control replication. In general, domains are used to control where in the forest replication of domain data occurs and organizational units are used to further organize network objects into a logical hierarchy and delegate control to appropriate administrative support personnel.

Domains can also be defined as:
• Containers within a forest
• Units of Policy
• Units of Replication
• Authentication and Authorization Boundaries
• Units of Trust

Each domain has a domain administrators group. Domain administrators have full control over every object in the domain. These administrative rights are valid within the domain only and do not propagate to other domains.



Domains as Units of Policy

A domain defines a scope or unit of policy within a forest. Some policy settings apply only to the scope of a domain, that is, the policy settings are domain-wide. Account policies, for example, apply uniformly to all user accounts in the domain. Although a domain is not the smallest unit of policy that can be assigned (policies can be assigned to organizational units) it is the most commonly used unit when splitting administrative duties between departments and subsidiaries located in different geographical locations. As shown in the following figure, you might need to create multiple domains to provide for policy variance among domains throughout a forest (please refer to the source for the figure). A domain is also considered a unit of access control, in that it can be used for business groups requiring general autonomy.

domains still have their uniqueness set apart from other domains even within a forest and are set upon by boundaries which are explicitly defined.

source:

technet2.microsoft.com/WindowsServer/en/...8821d45bcc71033.mspx