Re: Insufficient rights to edit all GPOs in local forest from account in trusted forest.
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 16 Aug 2006 08:19:44 -0700
Your analysis of the rules for group nesting are mostly correct.
It is possible to change the default security descriptor for AD objects,
such as GPOs, in order to impact the security set on newly defined
GPOs. However, you would need to make further changes so that
all aspects of GPO editing could be accomplished (like permissions
on policy objects in SysVol, on adm templates used for editing, etc.)
and you would need to revisit all existing GPOs.
I am also concerned in that you are not using a W2k3 forest-level
trust (i.e. Kerberos enabled) and so the cross-forest authentication
would be NTLM based.
In short, your simple solution would be to provision accounts in the
trusting forest that are Domain Admins there.
"GPObmp" <blakep@xxxxxx> wrote in message
news:1155662495.622699.203150@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have 2 forests, Forest A and Forest B.
There is a one way non transitive trust going from Forest B to Forest A
so in summary, Forest B trusts Forest A.
I have a group in Forest A called "Forest A Admins"
This group is a member of the BUILTIN\Administrators group in Forest B.
Unfortunately this membership does not give my "Forest A Admins" group
enough rights in Forest B.
I need the members of "Forest A Admins" to edit all GPOs in Forest B.
I know I can manually go in and edit the delegation of each GPO in
Forest B however I want this group to have explicit rights over all
GPOs in Forest B no matter who created them.
As far as I know there is only one group which has this access, this is
the "Domain Admins" group from Forest B.
Unfortunately as my "Forest A Admins" group is a Universal (to become a
member of BUILTIN\Administrators) it cannot be added to the "Domain
Admins" group in Forest B as it is a Global group.
As far as I know, I am officially stuck and there is no way around, I
have tried every membership under the sun to get my "Forest A Admins"
into the Forest B "Domain Admins" but it is impossible.
So far, this is what I have gathered.
The only group in Forest A which can get membership in a group in
Forest B is a Universal Group.
The only group a Forest A universal group can be a member of in Forest
B is a Local Group.
In Forest B, a Local Group can only be a member of another Local group
The only Local Group in Forest B which gives me most the rights I need
is the "BUILTIN\Administrators" group.
This group does not have sufficient rights to have full access to every
GPO.
Apart from the Forest B Domain Admins, there is no way to get full
rights over every GPO ever created in Forest B using a Forest A User
Account.
All I can think of is hacking the schema.
I would be extremely grateful for any input.
Thanks,
Blake.
.
- Follow-Ups:
- References:
- Prev by Date: Re: passwords Service accounts and services
- Next by Date: cifs and rpcss logon failures
- Previous by thread: Insufficient rights to edit all GPOs in local forest from account in trusted forest.
- Next by thread: Re: Insufficient rights to edit all GPOs in local forest from account in trusted forest.
- Index(es):
Relevant Pages
|
