Re: One domain admin for multiple domains

From: Laura E. Hunter \(MVP\) (hunter(nospamplease)_at_sfs.upenn.edu)
Date: 05/20/04 

Date: Thu, 20 May 2004 16:05:49 -0400

Paul's assertion is absolutely correct...sorry, hit 'Send' before I typed my
"Enterprise Admins is a big bad scary needs-to-be-well-controlled group"
disclaimer.

If you're dealing with 2 separate forests, then you can create a trust
relationship between them and add DOMAIN1\Domain Admins to the
DOMAIN2\Domain Admins group, and/or vice versa.

The forest container is a security boundary in both 2000 and 2003 though, so
this scenario would certainly require a trust relationship to work the way
you're describing. 

-- 
******************************
Laura E. Hunter - MCSE, MCT, MVP
Replies to newsgroup only
"Paul Adare - MVP - Microsoft Virtual PC" <padare@newsguy.com> wrote in 
message news:MPG.1b16d6082f08f1e2989966@msnews.microsoft.com...
> In article <OJ0koBqPEHA.2876@TK2MSFTNGP09.phx.gbl>, in the
> microsoft.public.win2000.security news group,  <"Laura E. Hunter \(MVP
> \)" <hunter(nospamplease)@sfs.upenn.edu>> says...
>
>> If the two domains are in the same forest, you can add the appropriate 
>> users
>> to the "Enterprise Admins" group, which has administrative authority over
>> every domain in the forest.
>>
>
> Not a great idea. Membership in the Enterprise Admins group should be
> tightly controlled. Using Enterprise Admins to allow a group of users
> from one domain to administer another domain in the same forest is a
> really, really bad idea. Better to simply add the group from the first
> domain to Domain Admins in the second domain.
>
> Having said that, from the OP it would appear that these are two
> separate domains, in which case, setting up a trust relationship is the
> solution.
>
>
> -- 
> Paul Adare
> Moral indignation is jealousy with a halo.
> H. G. Wells, The Wife of Sir Isaac Harman

Relevant Pages

  • Re: Forest Trusts
    ... I dont have a one way trust configured and it does show as "Forest" as ... it seems that Enterprise Admins, Domain Admins are protected some how ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to block off Enterprise Admin in a different tree but same forest?
    ... I've read about blocking EAs from child domains (in a book by authors whom I ... completely trust) and they didn't mention any repercussions other than the ... >> This can really break the ability to accomplish forest wide maintenance. ... >>> Enterprise Admins you need new Enterprise Admins. ...
    (microsoft.public.win2000.active_directory)
  • Re: Secure domain from higher
    ... One of the requirements for an Administrator is you have to trust them. ... they are enterprise admins ANYTHING the domain admins do to try to block ... If they don't trust each other don't add them to the same forest just create ...
    (microsoft.public.windows.server.active_directory)
  • Re: creating one way trust
    ... of different forest. ... It sounds for me that you do not need/have a trust, ... Once everything is replicated from the win2k svr. ... Let me try to understan a little more about youre network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Huge AD deployment
    ... That was the case in Windows 2000, but in Windows Server 2003 forest trusts ... note though is that a forest trust is only transitive for domains within the ... >> company.com in that data center and have every country trust company.com ... instead of going over the internet. ...
    (microsoft.public.windows.server.active_directory)