Microsoft Windows uses forest structure and in that forest are Domains. Most small companies only have one domain but it is still in a forest… a forest with one domain.
An Enterprise Admin can make changes to things in the forest, while a Domain Admin can only effect things in the specific domain they are assigned. Put simply Enterprise Admins are in “God Mode”.
Enterprise Admins can do things like add domains to the forest. Here are some things Enterprise Admins can do that Domain Admins cannot:
Last month we had a new customer who wanted to audit their active directory and determine which user accounts were Enterprise Admins.
The easiest way to see if a user is an Enterprise Admin is to look at the MEMBER OF tab in Active Directory Users and Computers as shown in screenshot to the right.
However, in larger organizations, reviewing each user one by one is a real pain, so you could look at the MEMBERS of the Enterprise Admins GROUP, but you may have too many to view on the screen, so a simple script like the one below, might be handy.
Make sure you are running it in a POWERSHELL that is AS AN ADMINISTRATOR:
# Import Active Directory module
Import-Module ActiveDirectory
# Get Enterprise Admins group
$enterpriseAdminsGroup = Get-ADGroup -Identity "Enterprise Admins"
# Get members of the Enterprise Admins group
$members = Get-ADGroupMember -Identity $enterpriseAdminsGroup
# Retrieve additional properties for each member
$members | ForEach-Object {
Get-ADUser -Identity $_.SamAccountName -Properties Surname, GivenName, Description | Select-Object @{Name='Last Name';Expression={$_.Surname}}, @{Name='First Name';Expression={$_.GivenName}}, Name, SamAccountName, DistinguishedName, Description
} | Format-Table -AutoSize
This website uses cookies.