Domian Local into Domain Admins Group

How do I make a 'Domain Local' security group which contains a Universal
group from another domain, a member of the Global 'Domain Admins' group?

DL's can't become a member of GG's

Cosmo,
you can not. Domain global groups can contain only users and global groups
from the same domain...
If you need to grant Domain Admins equivalent privileges to accounts from
other domains, add them to the domain local Administrators group and local
Administrators groups on all domain member computers...

hth
Marcin

"Cosmo" <> wrote in message
news:359EF508-7586-4260-A53C-...
> How do I make a 'Domain Local' security group which contains a Universal
> group from another domain, a member of the Global 'Domain Admins' group?
>
> DL's can't become a member of GG's

I think you already answered your own question. See the link below for the
group scope rules.

http://technet.microsoft.com/en-us/l...92(WS.10).aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Cosmo" <> wrote in message
news:359EF508-7586-4260-A53C-...
> How do I make a 'Domain Local' security group which contains a Universal
> group from another domain, a member of the Global 'Domain Admins' group?
>
> DL's can't become a member of GG's

"Cosmo" <> wrote in message
news:359EF508-7586-4260-A53C-...
> How do I make a 'Domain Local' security group which contains a Universal
> group from another domain, a member of the Global 'Domain Admins' group?
>
> DL's can't become a member of GG's


If the domain and forest are both in Windows 2003 Functional Mode or better,
you would follow the "AGGUDLP" rule, which means:

Add users to Globl Groups, which can be nested into another Global Group,
which can be added to a Universal Group, which can be nested into another
Universal Group, which can be added to a Domain Local Group, you then
provide permissions to.

In that directon, and not the other way around. The article Paul posted
explains it in more detail.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Thank you all for your responses :-)

As the AD 'Builtin\Adminstrators' only provides local admin rights on DC's,
how do I make trusted security groups from other domains a member of my local
'Domain Admin' group?

As the 'Domain Admin' group is a GG, it can only contain members from the
the local domain.

"Cosmo" <> wrote in message
news:BD413B54-0277-410A-8CE6-...
> Thank you all for your responses :-)
>
> As the AD 'Builtin\Adminstrators' only provides local admin rights on
> DC's,
> how do I make trusted security groups from other domains a member of my
> local
> 'Domain Admin' group?
>
> As the 'Domain Admin' group is a GG, it can only contain members from the
> the local domain.

That's correct, the AD 'Builtin\Adminstrators' have complete and
unrestricted access to the computer/domain. Read the description under the
General Tab of the AD 'Builtin\Adminstrators.'

Keep in mind, it is a Domain Local group. Because of that, you can add
users, global and universal groups from its own domain and any trusted
domain, as well as other Domain Local group from its own domain (this is
called "nesting") providing anyone that has been added to the Local
Adminstrators group complete and unrestricted access to the DC and domain
resources (including all DCs, member servers and client machines).

And you are correct that you cannot add a Local Group to a Global Group, but
you can add a Global Group to a Domain Local group, hence is the basis of
the AGGUDLP guideline. Basicaly, it's ADDLP, but because of nesting, you can
also look at it as AGGUDLP, or even ADDUUDLDLP, etc.

I'll try to explain it again in better detail using ADDULDP that I
originally explained:

AGGUDLP:
A: Add a user
G: to a Global Group
G: which can be nested into another Global Group
U: which then can be added to a Universal Group, (which can also be nested
into another
Universal Group),
DL: which can be added to a Domain Local Group,
P: you then provide permissions to the Domain Local Group.

Because of the multi-level nesting into the Domain Local Group, any
permissions or rights you give the Domain Local Group (or that has them by
default such as the Administrators Domain Local Group), the users in any of
the groups that are nested, will have those permissions and rights.

By default, the Domain Admins group has already been added to the
Administrators Domain Local group, which is where the Domain Admins group
gains it's powers.

This guideline and Microsoft 'best practice' rule has been around since the
original NT 3.1 days, not including Universals of course, because that came
out with Windows 2000.

Keep in mind, this is a just a guideline. You can do it any way you want. I
like this because as a company grows, it helps because you don't have 500
users in a resource, which takes the system longer to enumerate, rather
simply one group SID which offers extremely fast enumeration.

You can also simply add a user directly to a resource (printer, folder,
etc), or simply add the Domain Local Group to the resource, and provide
permissions to the Domain local Group, and once you add other groups or
users to the Local Group, they gain the permissions and rights on the local
group.

Here is more info:

Understanding & Effectively Using AGDLP
http://troy.computertraining.edu/ind...ly-using-agdlp

AGDLP - From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/AGDLP

AGLP Group Model:
http://groups.google.com/group/micro...de1bc78d48dafc

And to add a Global or Universal group from a trusted domain, you go into
YOUR Domain Local Group, click Add, change "Location" to the trusted domain,
and choose their Domain Global Group. Matter of fact, you will see
everything on the trusted side except their Local Groups, because the system
will not allow to add Local Groups to other Local grouups in other domains.
If clicking on the Location button doesn't show the trusted domain, then the
trust is not setup correctly.

I hope that all makes sense.

Ace

You can manage multiple domains within your forest, with a single user
account, by using the Enterprise Administrators Universal group.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Cosmo" <> wrote in message
news:BD413B54-0277-410A-8CE6-...
> Thank you all for your responses :-)
>
> As the AD 'Builtin\Adminstrators' only provides local admin rights on
> DC's,
> how do I make trusted security groups from other domains a member of my
> local
> 'Domain Admin' group?
>
> As the 'Domain Admin' group is a GG, it can only contain members from the
> the local domain.
>
>
>

I should have preficed this in that I assume you are only going to place a
sinle Admin in this group that , don't use this with light thought. This is
to manage ALL aspects of the domain. Again, use with care.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:...
> You can manage multiple domains within your forest, with a single user
> account, by using the Enterprise Administrators Universal group.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Cosmo" <> wrote in message
> news:BD413B54-0277-410A-8CE6-...
>> Thank you all for your responses :-)
>>
>> As the AD 'Builtin\Adminstrators' only provides local admin rights on
>> DC's,
>> how do I make trusted security groups from other domains a member of my
>> local
>> 'Domain Admin' group?
>>
>> As the 'Domain Admin' group is a GG, it can only contain members from the
>> the local domain.
>>
>>
>>
>
>

Thank you all for your very informative responses.

So to summarize:
An enterprize wide solution for providing a consistent 'Domain Admin' model
can be achieved by -> Placing the various GG security groups into the 'Domain
Admins' GG and then make this group a member of the 'Enterprise Admins' DL
group, which automatically becomes a member of all 'Local Admins' group
(including DC's) within the Forest.

No. Just follow Ace's advice, it is simpler and better security. I was
looking at it from the wrong perspective. Don't use the EA group.

The administrators group is a domain local group. Say you would like all
domain admins from the root of your domain to be admins in a child domain.
Open up ADUC in the child domain and bring up the administrators domain
local group, click add, click the Locations button and select the root
domain to change the focus. Select the domain admins group and click ok.
Now the domain admins group from the root should be a member of the domain
local administrators group in the child domain.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Cosmo" <> wrote in message
news:67BFE5B2-EB62-480C-9376-...
> Thank you all for your very informative responses.
>
> So to summarize:
> An enterprize wide solution for providing a consistent 'Domain Admin'
> model
> can be achieved by -> Placing the various GG security groups into the
> 'Domain
> Admins' GG and then make this group a member of the 'Enterprise Admins'
> DL
> group, which automatically becomes a member of all 'Local Admins' group
> (including DC's) within the Forest.