Re: Domain Admin Access across Trusted domains

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/15/05 

Date: Thu, 14 Apr 2005 17:54:26 -0700

"Joe Rookie" <ihatespam@spammers.suck> wrote in message
news:O%23ettuGQFHA.3076@TK2MSFTNGP14.phx.gbl...
> Roger --
>
> I'll expand on "DevGD"'s post, if I may ...
>
> We have a training domain in a separate forest, because we needed to not
> have two-way transitive trusts between it and our production domain ... I
> can add members of our production domain to Domain Local security group,
but
> not to Domain Glocal security groups on the training domain ... If I add
our
> users to a Domain Local security group, I can't add that Domain Local
> security group to the Domain Global group "Domain Admins" ... We have
> delegated any administrative task possible through Delegation, but that
> doeds not allow us all admin rights, such as Group Policy administration
...
> Anyone who can offer assistance in getting a domain user from a separate
> domain and forest into the trusting domain's Domain Admins group would be
> severely appreciated !!! I don't think it's possible, because I've tried
> everything I can think of, but I could be wrong, and hope that I am ...
>
Joe,

That is quite clearly described.
What you are experiencing if due to the fact that domain globals
are defined to consist only of objects of their domain.

Much, not all, can be conferred my making members of the
domain's local Administrators group, but yes, this is not the
same as making them members of Domain Admins. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:e3%23JcpuPFHA.4024@TK2MSFTNGP10.phx.gbl...
> > You may have a DNS issue.
> > If both domains are using Windows DNS and are W2k3 then
> > you could resolve this with conditional forwarding.  Else,
> > you would need to establish secondary zones each in the
> > other domain so that both can resolved the AD supporting
> > DNS records of the other.
> >
> > You should expect to not be able to add external groups into
> > your domain global groups.  You should be able to see the
> > trusted domain in the list of locations in the user/group object
> > picker, and to then add from the external as long as you are
> > not attempting to next externals into your globals.
> >
> > -- 
> > Roger Abell
> > Microsoft MVP (Windows  Security)
> > MCSE (W2k3,W2k,Nt4)  MCDBA
> > "DevGD" <DevGD@discussions.microsoft.com> wrote in message
> > news:AD20CA04-47BE-4EF3-BE8C-51063716CBA2@microsoft.com...
> > > The trust is a two way external trust. I can not add members from the
> > trusted
> > > domain to groups on my domain. I can only add access on the
folder/file
> > > level. How can I add myself to the domain admins group or even the
> > enterprise
> > > admins group? When I open the group and select add on the members tab,
I
> > can
> > > not see my domain to add my account.
> > >
> > > Any ideas?
> > >
> > > Thanks
> > > Dev
> > >
> > > "Roger Abell" wrote:
> > >
> > > > If your machine is in domain that trust them, then you
> > > > need an account in the trusted domain.  If theirs is trusting
> > > > yours, then they could adjust membership of their Domain
> > > > Admins group to add your account (they cannot add your
> > > > Domain Admns group as it would be global in alien global)
> > > >
> > > > -- 
> > > > Roger Abell
> > > > Microsoft MVP (Windows  Security)
> > > > MCSE (W2k3,W2k,Nt4)  MCDBA
> > > > "DevGD" <DevGD@discussions.microsoft.com> wrote in message
> > > > news:B7D22334-5383-4CA6-8B74-885D58221845@microsoft.com...
> > > > > Is there a way for me to have administrator rights on a domain
that
> I
> > > > trust
> > > > > with my domain? I just merged with a company and have established
an
> > > > external
> > > > > trust with their network. I am now incharge of all active
directory
> > for
> > > > the
> > > > > whole company and would like to be able to access their AD from my
> pc
> > > > > directly.
> > > > >
> > > > > Any help would be much appreciated.
> > > > >
> > > > > Thanks
> > > > > Dev
> > > >
> > > >
> > > >
> >
> >
>
>

Relevant Pages

  • Re: Domain Admin Access across Trusted domains
    ... users to a Domain Local security group, I can't add that Domain Local ... security group to the Domain Global group "Domain Admins" ... ... > not attempting to next externals into your globals. ... >> The trust is a two way external trust. ...
    (microsoft.public.win2000.security)
  • Re: SSA in Crisis: Can It Heal Itself? [LONG]
    ... it is purely a matter of trust and credibility. ... in the short term by an independent outsider, ... One thing that all the members have to decide is what ... >Disclosures by ExComm implied that certain SSA ...
    (rec.aviation.soaring)
  • Re: Saying it straight, was Re: Whats the difference?
    ... The following is from the Essex Wildlife Trust bulletin of Spring/Summer ... sent to all members and also designed to give to people at events: ... by our staff and trustees into predation by foxes on ground nesting birds ... species like Grey Partridge, and several duck species was very low. ...
    (uk.environment.conservation)
  • Re: SQL Domain Group Permissions
    ... Most settings can be retrieved by any authenticated user. ... the group "Domain Admins" is added to the local ... Administrators group with the computer is joined to the domain. ... members of Domain Admins to retrieve more information on the computers. ...
    (microsoft.public.sqlserver.security)
  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)