Active Directory Administrators

Enterprise admins

Active Directory is a land of several monarchs. The first and best known of these is the domain administrator: the authority with full control over the configuration and management of users, groups, devices, and permissions for a given domain.

Having a single point of authority works well as long as you’re only talking about one domain. But what happens when you have two or more domains? In keeping with all the arboreal metaphors, Active Directory’s designers decided to call a group of domains a “forest” and to give this higher level of control its own ruler, the enterprise administrator.

Their power is great, but subtle. For example, domain administrators don’t notice that higher power exists until they try to do something within their domain that impacts other domains, such as changing Active Directory trusts, or adjusting the Active Directory schema. Only an enterprise admin can make these changes, which is why membership of this group is carefully guarded. These individuals use their immense power infrequently, but to great effect.

Read more: Privileged access management for Windows Active Directory domain

FSMO – Flexible Single Master Operation

Updating data on one AD domain controller sounds simple enough but what happens if an organization has several controllers? How do they avoid conflicts when replicating the same and without creating a single point of failure?

The answer is Active Directory’s equivalent of clustering, Flexible Single Master Operation (FSMO). This divides domain responsibilities into five roles across multiple DCs, each of which performs a different housekeeping function. Importantly, if one goes down, the others can assume the responsibilities of the missing controller.

Schema admin

Active Directory schema is often described as complex. In fact, it’s incredibly simple. Active Directory is a database, or directory, of network resources such as accounts, users, devices, applications, and logical entities such as groups used to organize them.

But all of these have their own attributes, and that requires a second database. This second database sets out the rules for how Active Directory defines information about each attribute.

This is the schema, and the accounts with the power to adjust this schema are called, unsurprisingly, schema administrators. Needless to say, fiddling with the schema is not something done often or at all. But when you do, you better have the super skills to know what in the hell you are doing.

Windows domain administrators

When people refer to an Active Directory administrator, they’re usually referring to the Windows domain administrator. In fact, Active Directory has several types of admin that perform different roles, but it’s an understandable misconception.

These Windows domain admins seem to hold all the power. But that’s not always true. Active Directory’s hierarchical system is complex (second only perhaps to Game of Thrones’). Except that with Active Directory, nobody is allowed to become too powerful, and everyone sticks to an assigned sphere of influence.

Read more:
Privileged access management for Windows Active Directory domain
I want to delegate UserLock administration. Do Userlock operators require Windows domain administrator privileges?

Two Factor Authentication
& Access Management for
Windows Active Directory

UserLock helps administrators to manage and secure access for every user, without obstructing employees or frustrating IT.

Learn more

UserLock - User Sessions
Watch the Video