Manage a Child Domain as Enterprise Admin

Say your AD root is ‘smashcorp.local’, and you have a child domains of ‘flowerco.smashcorp.local’ and ‘oilchange.smashcorp.local’  The oilchange domain was migrated into your AD directly from NT4, while the flowerco domain was already AD, so a new DC was created for it and it was kind of ‘copied’ into the smashcorp forest.

If you are a member of the Enterprise Admins group of smashcorp, you might notice that while you can manage oilchange just fine, flowerco throws some strange permissions errors (like being able to delete but not create GPOs) and is always nagging you for a password for operations. Running a dcdiag from a smashcorp DC gives you “failed test NetLogons” errors, and access denied errors on Services, frssysvol, frsevent, kccevent, and Systemlog.

After scratching my head over this for a couple of days, and getting tired of RDPing into flowerco, I finally found where Enterprise Admins was missing from flowerco. In AD Sites & Services, go into the Builtin folder and add Enterprise Admins to the Administrators group. Apparently this didn’t happen with the way flowerco was brought into the forest initially.