Active Directory  «Prev 

Enterprise Admins Group

The Enterprise Admins group is one of Windows 2000's predefined security groups which is placed in the Users folder in Active Directory Users and Computers. It is a global group, which consists of designated administrators of the entire enterprise who exercise control over the enterprise network (as opposed to domain admins, who control only their domains).
When you create a domain, Windows 2000 automatically creates this group in the Active Directory. If a user should have administrative control throughout the entire enterprise network, his account should be added to the Enterprise Admins group. Then the Enterprise Admins group should be added to the Administrators domain local group in each domain.


Active Directory supports three group scopes: domain local, domain global, and universal. Groups in each of these scopes behave slightly differently based on the domain and forest functional levels. To complicate matters further, each group scope can have two types: distribution and security. The type is the easiest piece to define. If the type is distribution, the group’s SID is not added to a user’s security token during logon, so it cannot be used for Windows security purposes. Distribution groups are generally used as a messaging list (a set of users that you can mail or send instant messages to all at once), though it is possible to use them for security groups for LDAP-based applications or for other applications that don’t use the standard Windows security model. Microsoft Exchange represents distribution lists with Active Directory distribution groups. Security groups, by contrast, are enumerated during logon, and the SIDs of any groups of which the user is a member are added to the user's security token. Security groups can also be leveraged by Exchange as distribution lists.

All Windows editions that support Kerberos will encounter problems if security principals are members of too many groups. The issue is that the token of the security principal becomes too large for Windows to handle, and users may experience authentication or other Kerberos issues. This phenomenon is often referred to as token bloat. For more information on token size issues, reference this link. The three different scopes of mailing lists and security groups result from the legacy of Windows NT and the introduction of the GC. Global groups and domain local groups are the direct descendants of Windows NT groups; the membership of these groups is only available from domain controllers of the domains in which they are created. Universal group membership is available both from the domain controllers of the domains in which they are created in and from all Global Catalogs in the forest. Universal and global groups can be used in access control lists (ACLs) on any resource in the forest or in trusting domains. Domain local groups can only be used in ACLs in the domain in which they are created.