adding another domain user as domain admins group

Discussion in 'Active Directory' started by study, Oct 23, 2008.

  1. study

    study Guest

    In a single forest, multi-domain environment (domain A,B, and C), is there a
    way to add a user or a group from domain B to domain C's domain admins group?
    It seems the domain admins group only accepts contacts or other objects and
    not users or groups if adding objects from another domain.
    And domain admins group is a global group so can't add a universal group
    either.

    Any suggestions would be appreciated!
     
    study, Oct 23, 2008
    #1
    1. Advertisements

  2. study

    Marcin Guest

    What exactly are you trying to accomplish? Privileges held by members of
    Domain Admins are for the most part result from the fact that this group is
    by default a member of local Administrators group on all domain member
    computers and the domain local Administrators group. One way to emulate this
    arrangement is to add an arbitrary account from the domain B (such as a
    domain user or a domain global/universal group) to local Administrators
    group of designated computers in domain B (which can be fairly easily
    accomplished using Restricted Groups GPO setting).

    hth
    Marcin
     
    Marcin, Oct 23, 2008
    #2
    1. Advertisements

  3. Hello study,
    Not sure what exactly you are intending but you need to know which type of
    groups are visible (Usable) from one domain to another domain.

    There are three types of groups:
    Domain Local
    Global
    Universal

    Domain local groups can include global groups and are usually the group type
    that has permissions assigned for it.

    For additional details see:
    http://www.quest.com/technology-glossary/active-directory-groups.aspx


    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4


    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This posting
    is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Oct 23, 2008
    #3
  4. study

    study Guest

    Hello guys,

    What I'm trying to do is, since same admins manage both domains A and B,
    instead of having a domain admin account for each domain, would like to
    consolidate and have them use just one single account from one domain and be
    able to manage both domains using that account . And be able to manage not
    only the client computers/member servers but the DCs as well but at the same
    time, they don't need to be an enterprise admin.

    What would be the most efficient way to accomplish this?

    thanks!
     
    study, Oct 23, 2008
    #4
  5. study

    Marcin Guest

    Add these accounts to local Administrators groups (local domain and local
    groups on all domain member computers) in both domains...

    hth
    Marcin
     
    Marcin, Oct 24, 2008
    #5
  6. study

    study Guest

    What about managing the users in another domain?
    I've added the admins from domain B to the domain C's built-in
    administrators group on the domain C's DC using ADUC but unless they login
    locally to the domain C's DC, they don't have the permissions to delete/add
    users in domain C via ADUC.
    Is making them OU admins in domain B the only way to go?

    Thanks
     
    study, Oct 24, 2008
    #6
  7. study

    study Guest

    Sorry, I meant
     
    study, Oct 24, 2008
    #7
  8. Hello study,
    If these admins have connected to the proper domain, they should be able
    to add/change/delete users. Validate that when ADUC is brought up that they
    are connected to a DC from the remote domain. The easiest way to do this
    is to right click on the ADUC line within the MMC and select "Change Domain".
    Select the remote domain and see if things work.


    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4


    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This posting
    is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Oct 24, 2008
    #8
  9. study

    Marcin Guest

    I'm not sure what you mean by "login locally"... In order to make changes to
    accounts residing in the domain C, they would need to somehow
    authenticate/connect to one of its domain controllers. This can be
    accomplished in many ways (one way to do this would be to simply point to it
    via ADUC console)...

    hth
    Marcin
     
    Marcin, Oct 24, 2008
    #9
  10. study

    study Guest

    Hello Paul and Marcin,
    is to right click on the ADUC line within the MMC and select "Change Domain".
    This is what I was trying to do.
    As a domain admin in domain B, right clicked on the ADUC and selected
    "change domain" to domain C, tried to delete/create users but I got
    permission denied error.
    This domain admin account in domain B was added to the built-in
    administrators group in domain C using ADUC in domain C.

    I meant logging in from the physical console. This works (deleting/creating
    users).
     
    study, Oct 27, 2008
    #10
  11. Hello study,
    I am stumped. If you have joined this domain B admin account to the "Domain
    Admins" account within domain c and the user account has logged off and logged
    backed on, I'm not sure what isn't being set correctly. (?) Especially
    if you can go to a console and do it from within the domain itself.

    Are there any errors in the domain c's - dc, event logs?


    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4


    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This posting
    is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Oct 28, 2008
    #11
  12. study

    study Guest

    I had a chance to check again today and it works now.
     
    study, Nov 1, 2008
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.