Re: External trust question

• Previous message: Steven L Umbach: "Re: Disabling Interactive Login"
• In reply to: Darren: "External trust question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 24 Aug 2005 21:51:30 -0500

While the administrators group in a domain is all powerful in the domain it
does not automatically have access to all resources in the domain such as
domain computers. The domain admins group is by default in the local
administrators group of all domain computers but you can not add your
account to that group because it is a global group. You could create an
account in the other domain that is in the domain admins group in the other
domain and then logon as that account when you need admin access to
computers in the that domain or you can add you domain account to the local
administrators group of computers in that domain that you want to manage.
That could be automated with a Group Policy startup script using the net
local group command in a batch file or with Group Policy Restricted Groups
at the Organizational Unit level. --- Steve

"Darren" <Darren@somewhere.com> wrote in message
news:eHQyiwNqFHA.1024@TK2MSFTNGP09.phx.gbl...
> Hi, All
> I have successfully established a two-way external trust (2) separate
> forest. (Win2003 Forest and Win2000 forest).
>
> In addition I have added my domain admin account from the Win2003 Forest
> to the local builtin administrator group on the Win2000 Forest however
> when I try to access resources on the Win2000 forest while I am logged in
> to the Win2003 Forest using my using my Win2003 domain admin account I get
> access denied. ..
> I guess my question is how can I have doamin admin access to all servers
> within the Win2000 forest while logged in to the win2003 forest using my
> Win2003 domain account..
>
> Please advise..
> Thanks
> Darren
>

• Previous message: Steven L Umbach: "Re: Disabling Interactive Login"
• In reply to: Darren: "External trust question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Deleteing C$ sharing ... into the hard drive with the Administrator account and it works. ... > anything that will deny domain admins access to the computer. ... > computers to view the shares on that computer. ... > administrators group on a domain computer as in [net localgroup ... (microsoft.public.win2000.security) Local Admins group members systematically disappear ... A windows XP PRO system is part of w2k domain. ... I would manually add Domain Admins and certain domain user ... Administrator account from Administrators group. ... (microsoft.public.windowsxp.security_admin) Re: Secondary Site Setup ... Putting the account in the administrators group will indeed solve the ... Putting the everyone account in the domain admins ... > That should fix the communication problem. ... (microsoft.public.sms.setup) Re: Deleteing C$ sharing ... to be local administrators. ... anything that will deny domain admins access to the computer. ... that auditing of logon events, policy change, and account management is ... administrators group on a domain computer as in [net localgroup ... (microsoft.public.win2000.security) Re: Rid AD of Circular Group Membership ... and have use on members if it is used there. ... Administrators group is still intact), nor do they have empowerments over ... Admins is being used for by the 30+ can be delegated I(ex. ... The quess is each has an account and uses it, ... (microsoft.public.windows.group_policy)