Re: Enterprise CA options greyed out.

Not undocumented - http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbd_ads_xsfl.mspx, for instance, lists that the domain admins of the forest root domain are able to make accounts members of the Enterprise Admins and Schema Admins groups.

This is a natural consequence of having a forest root domain, whether it was documented or not, so should come as no surprise - but it is documented.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

"Gunna" <Gunna@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:BC1EEE48-7DB2-4582-8BE7-A19CD0FBF970@xxxxxxxxxxxxxxxx
Thanks Paul,

Nice undocumented feature that. Might explain a few strange issues i noticed
in AD. I'll just accept that since it works in my environment :)

"Paul Adare - MVP" wrote:

On Wed, 3 Sep 2008 22:36:06 -0700, Gunna wrote:

> I just built a new environment. Standard Server 2003 SP2 domain > controller
> and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd > machine
> as a user with local admin to the second server only (only domain > membership
> was Domain Users) and tried to install PKI and sure enough I only got > the
> Standalone options. I stopped the install and then logged on using an
> account i created and placed only in the Domain Users and Domain Admins
> groups. Then started to install Certificate services and I got both > the
> Enterprise and Standalone options. I then installed it completely as
> Enterprise Root CA as a Domain Admin only with no visible errors or > issues.
> So what is the Enterprise Admin requriment for?

The Domain Admins group in a single domain forest, or in the root domain of
a multi-domain forest have more powers than does the Domain Admins group in
child domains. You're still better off getting in the habit of using
Enterprise Admins as that group will always be able to install and
Enterprise CA, regardless of the domain/forest structure.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Compile: A heap of decomposing vegetable matter.

.

Relevant Pages

  • Re: Is "Dedicated Forest Root" Still Recommended?
    ... We have about 3000 machines, including 100+ servers, and ... root domain and choose these branch as Regional Domain. ... Our main concern is that we have too many domain admins, ... Forest Root Domain" and eager to find out if it is still highly recommended ...
    (microsoft.public.win2000.active_directory)
  • Re: Accessing c$ share in child domain
    ... We are currently running in mixed mode, am I correct in thinking that ... Enterprise Admins were automatically domain admins within all child ... >Check the membership in the local administrators group on the ...
    (microsoft.public.win2000.security)
  • Re: Domain Admin cant log into child domains
    ... Domain Admins can only log into their own domain in the ... Enterprise Admins are granted wide-spread rights ... Administrators in the child domain can log onto any ... physically sitting at the console) using their parent domain credentials ...
    (microsoft.public.security)
  • Re: Domain security
    ... you can not kick out the domain admins or enterprise admins. ... certificates which I disagree with since they will have access to our ... changed and to look at random system log files from various systems ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD and DHCP
    ... I am not sure that I would have added the Domain Admins security group to be ... The Enterprise Admins group is all powerful throughout ... You only want very knowledgeable people to be a member of the ... I might have added individual user account objects to that security group. ...
    (microsoft.public.win2000.active_directory)