Re: Trust Relationship NT4 & W2K Domains

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/24/04 

Date: Tue, 24 Feb 2004 02:21:41 GMT

That is why you would have to add them to the administrators built in group for that
domain, you can not add them to the domain admins because that is a global group.
You should see that the domain admins group of a domain is already a member of the
built in administrators group for the domain. I really don't know why it works for
you with two NT4.0 domains, but then W2K did beef up security somewhat compared to
NT4.0 so it does not surprise me that it does not work the same way. --- Steve

<anonymous@discussions.microsoft.com> wrote in message
news:00e701c3fa78$45c4c9d0$a401280a@phx.gbl...
> Thanks for the idea, we had already considered this
> option but when you open the Domain Admins group on each
> of the domains there does not appear to be anyway to
> access the users/group from the other Domain.
>
> Also in the current Trust Relationship between the two
> NT4 Domains which is working, this has not been necessary
> and access would appear to be provided through the two-
> way Trust only.
>
> I believe that I can get some of these things working by
> adding the respective Domain Admins Groups into the
> Policies "Logon on locally" & "Access this computer from
> the network". However this has not been necessary to make
> the Trust Relationship work between the NT4 Domains. We
> would therefore consider this to be a work around and
> would be concerned what other things are not going to
> work for clients from either Domain connecting to the
> alternate Domain.
>
> We need to establish seemless functionality between the
> two domains from both an administrative and client
> perspective. I have been unable to locate any
> documentation which might outline the requirements for
> this solution to function as desired.
>
> Any further ideas would be much appreciated.
>
> >-----Original Message-----
> >Try adding the administrators account [or domain admins
> group if appropriate] you are
> >using from each domain to the administrators group on
> the other domain to see if that
> >helps. --- Steve
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:017101c3fa70$c4b65270$a101280a@phx.gbl...
> >> We have a requirement to setup a two way Trust
> >> Relationship between a NT4 Domain and a Windows 2000
> >> Domain. We have setup a couple of servers in a lab to
> >> test and prove a solution before completing on our
> >> production Servers.
> >>
> >> There were no issues noted during the creation of the
> two-
> >> way Trust. However we cannot logon to either of the
> PDC's
> >> with the Administrator account from the other Domain.
> >> Also we cannot view the security group properties for
> the
> >> respective alternate Domains.
> >>
> >> We already have in production a similar configuration
> >> between two NT4 Domains which has no special setup
> apart
> >> from a two-way Trust Relationship and we do not have
> >> these issues.
> >>
> >> Can someone please advise if there are special
> >> requirements for allowing this functionality between a
> >> NT4 Domain and a W2K Domain.
> >>
> >
> >
> >.
> >

Relevant Pages

  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • Re: Settle a Administrators dispute
    ... Administrators Local Group on the DC but not in the Domain Admins ... Global Group, the users of the Global Group do not have the same ... restricted groups policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local admin group?
    ... No don't remove the domain admins group from the administrators group for ... Create a global group of users to add the local administrators ... > for the purpose of updates but I don't want them to have admin rights on ...
    (microsoft.public.win2000.security)
  • Re: Privilege elevation not sticking
    ... If you do not have administrator control on that domain computer, ... Net localgroup administrators would show that information. ... > In AD Users & Computers on the DC I make a User a member of Domain Admins. ...
    (microsoft.public.win2000.security)
  • Re: Opening workstation event view = Access Denied
    ... You can add domain groups (or user accounts) to local groups using Restricted Groups in a GPO. ... In a domain of any size, you might NOT want the people that administer workstations to be Domain Admins. ... You can then designate which user accounts are workstation administrators without also granting them administrative rights to the whole domain. ... being a member of the Domain Admins group does NOT necesarily mean you are an administrator on the domain member computer. ...
    (microsoft.public.windows.server.active_directory)