Results 1 to 6 of 6

Thread: Cross Domain privialges for Domain Admins

  1. #1
    Join Date
    Sep 2005
    Posts
    138

    Cross Domain privialges for Domain Admins

    I am on a 2008 native domain setup with Domain-Child1 users and Domain Parent and Domain-Child 2 with servers, applications, services. I have got complete control over all the domains. It has been decided via Policy that all users will reside in Domain-Child1, so what kind of trusts need to be set up, groups setup, members added, etc; so that I can use 1 user account, and be a Domain Admin in both Domain-Child1 and Domain-Child2? Also the policy says user must reside in Domain-Child1 and I should not be an enterprise admin? Thanks.

  2. #2
    Join Date
    Sep 2005
    Posts
    226

    Re: Cross Domain privialges for Domain Admins

    I should tell you that by default all domains within a forest have a hierarchical and transitive trust with each other. So, it will not matter where the clients and users reside. If you want to do this for security reasons then this isnt proper, the security boundary is the forest and not the domain, because of this I would suggest that you reconsider and create a single domain within your forest.There is a short explanation on security boundaries that you might want to read from the below link:
    http://msmvps.com/blogs/ulfbsimonwei...vs-domain.aspx

  3. #3
    Join Date
    Sep 2005
    Posts
    1,306
    You can try to make a global group in domain 1 and place the user account (domain admin) within this group. After that create a universal group in domain 2 and place the global group created in domain 1 into the universal group and place the universal group in the domain admin group in domain 2. Also, check in the below link about group scopes and its use:
    http://technet.microsoft.com/en-us/l.../cc755692.aspx

  4. #4
    Join Date
    Jan 2006
    Posts
    2,257
    You can try to add the admin from child domain1 to child domain2's local admin group and not the global domain admin group.

  5. #5
    Join Date
    Sep 2009
    Posts
    1
    i don't understand, you answer:

    I have created global group in dom1, and i have added domains admin@dom1 groupe in members of this group. after i create universal group in dom2 but : in this group i can't browse other domain in members, but i can browse other domain in members of but i don't see the global group create before. please can you explain me.

  6. #6
    Join Date
    Mar 2010
    Posts
    221

    Re: Cross Domain privialges for Domain Admins

    If you add the group to the Administrators groups on a DC, which has domain administrator permissions on the domain itself, and all developing countries. To obtain the domain administrator permissions on all domain members that need to be added to a group that is a direct member or nested groups of administrators on all workstations and member servers in the domain.

Similar Threads

  1. Domain Admins Security member list
    By denizcakan in forum Windows Server Help
    Replies: 2
    Last Post: 24-07-2011, 12:37 AM
  2. adding another domain user as domain admins group
    By Billie in forum Active Directory
    Replies: 3
    Last Post: 19-07-2010, 06:57 PM
  3. Replies: 1
    Last Post: 16-09-2009, 10:11 AM
  4. Question on PHP cross domain session
    By afidelino in forum Software Development
    Replies: 3
    Last Post: 08-08-2009, 06:41 PM
  5. Join computer to domain without domain admins right
    By ridergroov in forum Active Directory
    Replies: 2
    Last Post: 09-10-2008, 03:08 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,642,800,613.11634 seconds with 17 queries