Re: Domain Admin Access across Trusted domains

From: Joe Rookie (ihatespam_at_spammers.suck)
Date: 04/15/05

  • Next message: Frank Durham: "Certificate Authority" 
    Date: Fri, 15 Apr 2005 09:18:24 -0400

    Thanks, Roger ... This one has been killing me for awhile :-) ... I added
    our admins to the Builtin Local Security group "Administrators" ...
    Hopefully, this gives us what we need ... It was frustrating trying to
    figure this out because we would go through the process, knowing which types
    of groups can have what types of groups and users, and every time we thought
    we had it, we figured out whay we couldn't :-) !!!

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:%238ll2UVQFHA.2868@TK2MSFTNGP10.phx.gbl...
    > "Joe Rookie" <ihatespam@spammers.suck> wrote in message
    > news:O%23ettuGQFHA.3076@TK2MSFTNGP14.phx.gbl...
    > > Roger --
    > >
    > > I'll expand on "DevGD"'s post, if I may ...
    > >
    > > We have a training domain in a separate forest, because we needed to not
    > > have two-way transitive trusts between it and our production domain ...
    I
    > > can add members of our production domain to Domain Local security group,
    > but
    > > not to Domain Glocal security groups on the training domain ... If I add
    > our
    > > users to a Domain Local security group, I can't add that Domain Local
    > > security group to the Domain Global group "Domain Admins" ... We have
    > > delegated any administrative task possible through Delegation, but that
    > > doeds not allow us all admin rights, such as Group Policy administration
    > ...
    > > Anyone who can offer assistance in getting a domain user from a separate
    > > domain and forest into the trusting domain's Domain Admins group would
    be
    > > severely appreciated !!! I don't think it's possible, because I've tried
    > > everything I can think of, but I could be wrong, and hope that I am ...
    > >
    > Joe,
    >
    > That is quite clearly described.
    > What you are experiencing if due to the fact that domain globals
    > are defined to consist only of objects of their domain.
    >
    > Much, not all, can be conferred my making members of the
    > domain's local Administrators group, but yes, this is not the
    > same as making them members of Domain Admins.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    >
    > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > news:e3%23JcpuPFHA.4024@TK2MSFTNGP10.phx.gbl...
    > > > You may have a DNS issue.
    > > > If both domains are using Windows DNS and are W2k3 then
    > > > you could resolve this with conditional forwarding. Else,
    > > > you would need to establish secondary zones each in the
    > > > other domain so that both can resolved the AD supporting
    > > > DNS records of the other.
    > > >
    > > > You should expect to not be able to add external groups into
    > > > your domain global groups. You should be able to see the
    > > > trusted domain in the list of locations in the user/group object
    > > > picker, and to then add from the external as long as you are
    > > > not attempting to next externals into your globals.
    > > >
    > > > --
    > > > Roger Abell
    > > > Microsoft MVP (Windows Security)
    > > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > > "DevGD" <DevGD@discussions.microsoft.com> wrote in message
    > > > news:AD20CA04-47BE-4EF3-BE8C-51063716CBA2@microsoft.com...
    > > > > The trust is a two way external trust. I can not add members from
    the
    > > > trusted
    > > > > domain to groups on my domain. I can only add access on the
    > folder/file
    > > > > level. How can I add myself to the domain admins group or even the
    > > > enterprise
    > > > > admins group? When I open the group and select add on the members
    tab,
    > I
    > > > can
    > > > > not see my domain to add my account.
    > > > >
    > > > > Any ideas?
    > > > >
    > > > > Thanks
    > > > > Dev
    > > > >
    > > > > "Roger Abell" wrote:
    > > > >
    > > > > > If your machine is in domain that trust them, then you
    > > > > > need an account in the trusted domain. If theirs is trusting
    > > > > > yours, then they could adjust membership of their Domain
    > > > > > Admins group to add your account (they cannot add your
    > > > > > Domain Admns group as it would be global in alien global)
    > > > > >
    > > > > > --
    > > > > > Roger Abell
    > > > > > Microsoft MVP (Windows Security)
    > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > > > > "DevGD" <DevGD@discussions.microsoft.com> wrote in message
    > > > > > news:B7D22334-5383-4CA6-8B74-885D58221845@microsoft.com...
    > > > > > > Is there a way for me to have administrator rights on a domain
    > that
    > > I
    > > > > > trust
    > > > > > > with my domain? I just merged with a company and have
    established
    > an
    > > > > > external
    > > > > > > trust with their network. I am now incharge of all active
    > directory
    > > > for
    > > > > > the
    > > > > > > whole company and would like to be able to access their AD from
    my
    > > pc
    > > > > > > directly.
    > > > > > >
    > > > > > > Any help would be much appreciated.
    > > > > > >
    > > > > > > Thanks
    > > > > > > Dev
    > > > > >
    > > > > >
    > > > > >
    > > >
    > > >
    > >
    > >
    >
    >

  • Next message: Frank Durham: "Certificate Authority"