I’ve been on the activedir mailling list and i’ve heard that it is possible for a domain admin to gain enterprise admin access. I know you can do this pyhsically from one of the root dc’s and i know that MS considers the forest the security boundary NOT the domain but i was wondering how this can be done(is it through sidHistory- i think that was taken care of with sidFiltering).
I ask because i’m an enterprise admin and the IT managers gave each local IT dept. a domain and made them all domain admins but NOT enterprise admins(management doesn’t trust them enough for that).
so i was wondering, how easy it would be for a domain admin to inject him/her self into the enterprise admin group in a win2k sp4 forest, root domain in native mode?