Re: External trust question
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: Wed, 24 Aug 2005 21:51:30 -0500
While the administrators group in a domain is all powerful in the domain it
does not automatically have access to all resources in the domain such as
domain computers. The domain admins group is by default in the local
administrators group of all domain computers but you can not add your
account to that group because it is a global group. You could create an
account in the other domain that is in the domain admins group in the other
domain and then logon as that account when you need admin access to
computers in the that domain or you can add you domain account to the local
administrators group of computers in that domain that you want to manage.
That could be automated with a Group Policy startup script using the net
local group command in a batch file or with Group Policy Restricted Groups
at the Organizational Unit level. --- Steve
"Darren" <Darren@somewhere.com> wrote in message
> Hi, All
> I have successfully established a two-way external trust (2) separate
> forest. (Win2003 Forest and Win2000 forest).
> In addition I have added my domain admin account from the Win2003 Forest
> to the local builtin administrator group on the Win2000 Forest however
> when I try to access resources on the Win2000 forest while I am logged in
> to the Win2003 Forest using my using my Win2003 domain admin account I get
> access denied. ..
> I guess my question is how can I have doamin admin access to all servers
> within the Win2000 forest while logged in to the win2003 forest using my
> Win2003 domain account..
> Please advise..