Manage AD Domains

When planning your AD environment, the number of forests and domains you select will be based on the security and administrative requirements of your organization. Within AD, the AD forest constitutes the security boundary within AD—AD administrators from one forest can't exert administrative privileges within a separate AD forest (unless a trust relationship is in place). Conversely, if you have multiple domains within a single AD forest, the Enterprise Admins group in the forest root domain has default administrative privileges across the entire forest, including all child domains. In fact, Domain Admins in any child domains can potentially (although not by default) escalate their privileges so that they can access any domain ...

Get Automating Active Directory® Administration with Windows PowerShell® 2.0 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.