The world's most trusted forum on Active Directory Security
This is my first post on this message board, and I hope to learn from your input and share my admin experiences and knowledge with you all, so thank you in advance for considering my question.
I would like to know if Domain Admins are really as powerful as Enterprise Admins?
I mean I know that they are not as powerful by default, but could a Domain Admin elevate their privilege to that of an Enterprise Admin? I ask because we have multiple domains, and while we only have a few Enterprise Admins, we do have a siezable number of Domain Admins in our domains, and we often wonder if they could somehow be as powerful as us.
Thanks for your input.
Dobryj Vyechyer comrade! Kak vy pozhivayetye?
Good question, and I'm sure one that a lot of you have wondered about.
Let me answer your question with a question...
Q. Do you know which is the most powerful group in Active Directory?
I'll give you a hint - it is neither Domains Admins, nor Enterprise Admins.
I can answer your question in ONE minute, but I would also like to give other comrades on the forum a chance to think about this and provide their inputs.
Я девушка Ferrari!
Are you saying that there is a group in Active Directory that is MORE POWERFUL than even Domain Admins or Enterprise Admins?
Also, if you don't mind me asking, are you from Russia? (I only ask because you use the words Comrade, and that reminded me of the movie Salt.)
We will NEVER forget.
Yes, that's exactly what I am saying - there is a group in Active Directory that is more powerful than Domain Admins and Enterprise Admins. Do you know which one it is?
Also, yes, I am from Russia.
I'm not sure I understand. You are saying that is a group in Active Directory that is more powerful than even Enterprise Admins?
How can that be?
Most of the companies I know of have an administrative hierarchy in place where Enterprise Admins are at the very top of the power pyramid.
Well, if there is a more powerful group than Enterprise Admins, could you please share your thoughts on which one it is, and why it is more powerful than Enterprise Admins?
This should come as no surprise, but indeed, neither Domain Admins nor Enterprise Admins is the most powerful group in Active Directory. The most powerful group in Active Directory is actually the Builtin Admins group in each domain.
If you'd like to know why this is so, just let me know.