Re: Domain Admin can't log into child domains



It is that way because someone has set it up that way.
Domain Admins can only log into their own domain in the
default. Enterprise Admins are granted wide-spread rights
in all domains. That is all changable.
The things you need to examine are:
memberships in the Administrators and Domain Admins
groups of each domain
memberships in the Enterprise Administrators group
failing finding them in the above then check Users
grants of terminal services login, either via the Remote
Desktop Users group or directly in the permissions
on the RDP connectoid in the TS config mgmt applet
grants of the Log on locally user rights (for example, you
did not say child DAs are admins in the parent, only that
they could log into the boxes of the parent)
"Ageing Brilliantine Stick Insect"
<AgeingBrilliantineStickInsect@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1FC8A36A-7297-4666-8D97-55F29C4A24B9@xxxxxxxxxxxxxxxx
We have 2 domains - a parent and a child. They are separated physically -
2
different buildings. Administrators in the child domain can log onto any
of
the servers in the parent domain (via terminal services, or physically
sitting at the console) using their child domain credentials (ie
username/password/child-domain-name), however administrators in the parent
domain cannot log onto servers in the child domain (via terminal services,
or
physically sitting at the console) using their parent domain credentials
(ie
username/password/parent-domain-name). Howcome?


.



Relevant Pages

  • Re: Should be a simple task
    ... The domain admins group is a global group and as ... >> users in the child domain. ... >>> I want to manage the student's accounts in the parent domain but NOT ...
    (microsoft.public.windows.server.active_directory)
  • Re: Should be a simple task
    ... the domain admins group... ... users in the child domain. ... > I want to manage the student's accounts in the parent domain but NOT have ... > which they will administer: 2 students per domain: one DC and one MS. ...
    (microsoft.public.windows.server.active_directory)
  • Schema User attribute question
    ... create a mandatoru user attribute that would be applied to all users A & B ... but is only editable by Domain a domain admins - no domain b users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Admin cant log into child domains
    ... Hence domain admins cannot next into domain admins of another ... That is why I suggested you also examine the Administrators ... I have gone into the child domain through DSA, ... the servers in the parent domain (via terminal services, ...
    (microsoft.public.security)
  • Avoid Dom Admin to remove Enterprise admin
    ... Use GroupPolicy 'Restricted groups' to resolve this issue. ... >I need to force that Domain Admins from child domain are ... >not able to remove Enterprise admins from the ...
    (microsoft.public.win2000.security)