Adding another domain users to your local domain admin group

Discussion in 'Windows Server' started by WooYing, Dec 28, 2005.

  1. WooYing

    WooYing Guest

    I am a little confused on what i should do, I have a 2 way trust between a
    Win2K3 Native mode domain called ABC.com and my domain is a Win2K3 Mixed
    Mode domain named. 123.com, now I am trying to add a user from another
    domain to my domain admin group on 123.com. I know I cannot add users from
    another domain if it is a global group which is the domain admin, but I can
    add users to a local group. But I cannot add a local group to a global
    group. So for all you experts out there what is the best way to handle my
    situation, Thanks in advance.
     
    WooYing, Dec 28, 2005
    #1
    1. Advertisements

  2. what exactly are you trying to achieve? what IS your situation?
     
    Jorge de Almeida Pinto, Dec 28, 2005
    #2
    1. Advertisements

  3. WooYing

    WooYing Guest

    What I am trying to achieve is to add another from ABC.com to my 123.com
    domain and add him to the domain admin group. This way when I am out of the
    office he can check on the domain for me. Hope this helps


    "Jorge de Almeida Pinto"
     
    WooYing, Dec 28, 2005
    #3
  4. as you already said, it is not possible to add a user from a certain to the
    domain admins groups of another domain
    add him to the administrators group of the domain instead

    remember: ONLY HIGHLY TRUSTED PEOPLE SHOULD BE MADE MEMBERS OF POWERFUL
    ADMIN GROUPS!
     
    Jorge de Almeida Pinto, Dec 28, 2005
    #4
  5. You can add that user to the "administrators" group in your domain or create
    a user account in the domain that is in the domain admins group so that he
    can logon to that account instead of his regular account. Note that unlike
    the domain admins group the administrators group in a domain is not in the
    local administrators group in every computer in the domain though you can
    add users from the trusted domain to the local administrators group of
    domain computers manually, via Group Policy startup script, or via Group
    Policy Restricted Groups if need be but be careful with Restricted Groups
    because you can delete current membership in the administrators group
    depending on how you configure it. --- Steve
     
    Steven L Umbach, Dec 28, 2005
    #5
  6. WooYing

    WooYing Guest

    Jorge I have not idea what you've just said please re-read your sentences.
    Can this be done or not.


    "Jorge de Almeida Pinto"
     
    WooYing, Dec 28, 2005
    #6
  7. WooYing

    Manny Borges Guest

    You know it , do you?

    Have you tried it?

    If you have set the trust up correctly there is no standard reason why a
    user from a trusted domain can't be added to your domain admins.(there are
    some non standard reasons why you might not be able to, but I don't deal
    with facts not in evidence if I can help it)

    You can add the account directly in or you can use a global group created in
    the trusted domain that contains that other users account and make that a
    member of the domain admins of the trusting domain.

    Keep in mind I have you given the basic, lazy slug, security ignorant admin
    approach. Best practice implementation is a little more involved but you
    really need some time with a book and a test system before we take that
    path.

    My own account at work is in a separate domain and it has been added to
    several other domains domain admin-ish groups.

    Or are we dealing with another college/highschool student who needs help
    with their homework?

    --
    Manny Borges
    MCSE NT4-2003 (+ Security)
    MCT, Certified Cheese Master

    There are 10 kinds of people in the world. Those who do understand binary
    and those who don't.
     
    Manny Borges, Dec 28, 2005
    #7
  8. Than you would need to use plan B as I suggested and add his domain account
    to the administrators group in Active Directory Users and Computers if you
    really want him to have administrator powers in your domain. The domain
    admins group is simply a global group that is in the administrators group
    for the domain, is included in access control lists, and is in the local
    administrators group of all domain computers. Note that once he is an
    administrator in your domain he can create a user account in your domain to
    logon to which will allow him to bypass those scripts that run on his domain
    account if he is so inclined. --- Steve
     
    Steven L Umbach, Dec 28, 2005
    #8
  9. You can't add a user from a trusted domain to global group in another
    trusting domain. Global groups can only contain members from their own
    domain. The default domain admins group is a global group. --- Steve
     
    Steven L Umbach, Dec 28, 2005
    #9
  10. WooYing

    Manny Borges Guest

    My bad, I meant to say the administrators domain local group.

    --
    Manny Borges
    MCSE NT4-2003 (+ Security)
    MCT, Certified Cheese Master

    There are 10 kinds of people in the world. Those who do understand binary
    and those who don't.
     
    Manny Borges, Dec 29, 2005
    #10
  11. WooYing

    Manny Borges Guest

    First...... chill.

    Second, I did give an answer. I made a minor faux pas in my quick typing,
    but what I wrote is accurate and almost correct.

    Third, None of this really addresses your real need since you never stated
    it. I told you messing with groups like this is the idiots approach. Rather
    than ask what a more sensible way do to it was you chose to call me names.
    When did I do that to you?

    Lastly, please try use proper spelling and punctuation.

    --
    Manny Borges
    MCSE NT4-2003 (+ Security)
    MCT, Certified Cheese Master

    There are 10 kinds of people in the world. Those who do understand binary
    and those who don't.
     
    Manny Borges, Dec 29, 2005
    #11
  12. WooYing

    Roger Abell Guest

    Don't worry Woo Ying on Manny's mistaken reply.
    It would be better had it not been made.
    Just follow the advise Steve has given.

    You will be far, far better off if you limit the amount of
    Domain Admin access and usage that happens anyway.
    For daily management of an established infrastructure there
    is very little reason to use a Domain Admin account, as use
    of delegate authority is possible for most things, and if access
    to diverse client systems is the objective use of a custom group
    in the machine local Administrators allows you to avoid having
    an all-powerful Domain Admin account at risk from (over) use.

    Roger
     
    Roger Abell, Dec 30, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.