Re: Domain Admin Access across Trusted domains

From: Joe Rookie (ihatespam_at_spammers.suck)
Date: 04/13/05

  • Next message: Magoo: "Re: What makes client get 'certificate' warning pop up ?" 
    Date: Wed, 13 Apr 2005 16:59:13 -0400

    Roger --

    I'll expand on "DevGD"'s post, if I may ...

    We have a training domain in a separate forest, because we needed to not
    have two-way transitive trusts between it and our production domain ... I
    can add members of our production domain to Domain Local security group, but
    not to Domain Glocal security groups on the training domain ... If I add our
    users to a Domain Local security group, I can't add that Domain Local
    security group to the Domain Global group "Domain Admins" ... We have
    delegated any administrative task possible through Delegation, but that
    doeds not allow us all admin rights, such as Group Policy administration ...
    Anyone who can offer assistance in getting a domain user from a separate
    domain and forest into the trusting domain's Domain Admins group would be
    severely appreciated !!! I don't think it's possible, because I've tried
    everything I can think of, but I could be wrong, and hope that I am ...

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:e3%23JcpuPFHA.4024@TK2MSFTNGP10.phx.gbl...
    > You may have a DNS issue.
    > If both domains are using Windows DNS and are W2k3 then
    > you could resolve this with conditional forwarding. Else,
    > you would need to establish secondary zones each in the
    > other domain so that both can resolved the AD supporting
    > DNS records of the other.
    >
    > You should expect to not be able to add external groups into
    > your domain global groups. You should be able to see the
    > trusted domain in the list of locations in the user/group object
    > picker, and to then add from the external as long as you are
    > not attempting to next externals into your globals.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "DevGD" <DevGD@discussions.microsoft.com> wrote in message
    > news:AD20CA04-47BE-4EF3-BE8C-51063716CBA2@microsoft.com...
    > > The trust is a two way external trust. I can not add members from the
    > trusted
    > > domain to groups on my domain. I can only add access on the folder/file
    > > level. How can I add myself to the domain admins group or even the
    > enterprise
    > > admins group? When I open the group and select add on the members tab, I
    > can
    > > not see my domain to add my account.
    > >
    > > Any ideas?
    > >
    > > Thanks
    > > Dev
    > >
    > > "Roger Abell" wrote:
    > >
    > > > If your machine is in domain that trust them, then you
    > > > need an account in the trusted domain. If theirs is trusting
    > > > yours, then they could adjust membership of their Domain
    > > > Admins group to add your account (they cannot add your
    > > > Domain Admns group as it would be global in alien global)
    > > >
    > > > --
    > > > Roger Abell
    > > > Microsoft MVP (Windows Security)
    > > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > > "DevGD" <DevGD@discussions.microsoft.com> wrote in message
    > > > news:B7D22334-5383-4CA6-8B74-885D58221845@microsoft.com...
    > > > > Is there a way for me to have administrator rights on a domain that
    I
    > > > trust
    > > > > with my domain? I just merged with a company and have established an
    > > > external
    > > > > trust with their network. I am now incharge of all active directory
    > for
    > > > the
    > > > > whole company and would like to be able to access their AD from my
    pc
    > > > > directly.
    > > > >
    > > > > Any help would be much appreciated.
    > > > >
    > > > > Thanks
    > > > > Dev
    > > >
    > > >
    > > >
    >
    >

  • Next message: Magoo: "Re: What makes client get 'certificate' warning pop up ?"

    Relevant Pages

    • Re: Domain Admin Access across Trusted domains
      ... > users to a Domain Local security group, I can't add that Domain Local ... Much, not all, can be conferred my making members of the ... same as making them members of Domain Admins. ... >>> The trust is a two way external trust. ...
      (microsoft.public.win2000.security)
    • RE: software to control domain administrators
      ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
      (Security-Basics)
    • Re: ADMT v3 Access is Denied
      ... Check to make sure that it resides in both domain admins groups. ... Having a trust doesn't explicity grant you access to all, ... > I discovered that the Forest functional level on the test domain needed ... >> Is the access denied error caused by the type of trust I have created? ...
      (microsoft.public.win2000.active_directory)
    • Re: Security Groups
      ... Did you create a forest trust and which kind of trust do you create? ... I have created a (Domain Local Security Group) and (Global Security ... it should not allow me grant permissions to (Domain Local ...
      (microsoft.public.windows.server.active_directory)
    • Re: Migrating Security Groups in AD
      ... If ADMT was used it migrates the group, but IIRC it doesn't delete it so ... If there is a trust going on you should be able to set up temp ... One of our users has migrated a security group into his domain and we ...
      (microsoft.public.windows.server.active_directory)