I've built a forest for testing consisting of a forest root domain and two child domains. Enterprise admins in the root domain don't seem to have admin privileges on member servers in the child domains.
In Active Directory Domains and Trusts the transitive trusts validate.
DCDiag shows no errors.
Repadmin /showrepl shows no errors and all succesful authentications.
DNS seems to be working fine. Zones are replicated to all AD integrated DNS servers in the forest.
NLTest shows everything seems to be fine:
But when I log in to a child domain member server as a forest root Enterprise Admin (which works fine), I don't get admin permissions:
What else can I check?
Best Answer
The default permissions are working as designed. Enterprise Admins do not receive any admin permissions on workstations or member servers.
See https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory#enterprise-admins