When a member server is joined to one domain in a forest, should members of other-dom\domain admins be Administrators

Andrew Bartlett abartlet at samba.org
Tue May 1 17:01:40 MDT 2012

On Tue, 2012-05-01 at 14:25 -0700, Richard Sharpe wrote:
> Hi,
> When a member server, say SRV1 joins DOM1.someforest.local, should a
> member of OTHERDOM.DOM1.someforest.local also have membership of
> BUILTIN\Administrators on the  member server?

As far as I understand it, no.  Forest admins might of course, but
domain admins are per-domain.  (Of course, the real security boundary is
the forest, and any domain admin could subvert their own server and take
over the forest, but just don't tell the auditors...). 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list