This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 66%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Hi all, I have one master domain controller called "domain.com" and have two child domain called "child1.domain.com" and "childtwo.domain.com" and also joined the windows 10 machine to the master domain controller "domain.com" and then i have add users on the client windows machine by choose the location "domain.com" or its child domain.
My question is, for domain based i need give promote any user from domain.com as admin role in client windows 10, same as to other sub-domain users. If any domain based admin user can't delete the other domain's admin and users.
Which mean domain based privileges.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
First of all , let make sure the difference between domain admins and enterprise admins in parent domain (root domain).
Domain Admins:
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.
Enterprise Admins (only appears in the forest root domain)
Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.
So a admin in the Domain Admins: in the parent domain will not have the permission to deletes users in child domain.
But admins in the Enterprise Admins will have the full permission to controller the child domain, include delete users in child domain.
Best Regards,
@Fan Fan clear definition thanks a lot, but my ultimate goal is i have one workstation windows 10 pro joined to my domain, i should add the users on client workstation choose from the parent domain as well as child domain controller users on remote desktop group on the workstation.
Now all users in parent and child domain controller will able to logon the workstation machine.
So i need to promote anyone user form both domain controller to administrator role on joined workstation. Now the problem occurs the administrator of parent domain controller can able to delete the user even through administrator of child domain controller. How i should restrict these i need an domain based authorisation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 65%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi,
I have a question I have three different sites Norway, the USA, UK, and I have installed ADDC xyz.com in Norway datacenter and AADDC in the USA,UK.
Now my requirement is that USA users authenticate from AADDC installed in the USA data center. Please advise and Guide.