How to make give cross-domain "Domain Admins" permissions

Discussion in 'Active Directory' started by Diego Galindez, Feb 26, 2007.

  1. Imagine the following scenario:

    Domain corp
    Domain europe.corp
    Domain asia.corp

    How can you make a user in domain "Europe" a "Domain Admin" of domain "Asia"
    ??.

    Since "Domain Admins" is a Global Security Group it won't admit members
    outside its domain...

    I've read the "Active Directory delegation best practices" but couldn't find
    an answer for it...

    Tks
    Diego
     
    Diego Galindez, Feb 26, 2007
    #1
    1. Advertisements

  2. Some additional information.
    I've already added EUROPE\User1 to the "Administrators" group in the "ASIA"
    domain but I still need "Domain Admins" privileges and not just
    "Administrators"..
     
    Diego Galindez, Feb 26, 2007
    #2
    1. Advertisements

  3. If you add that group to the administrators group on a DC, you have domain
    admin permissions over the domain itself, and all the DCs. To get the
    Domain Admin permissions across all members of the domain you need to add
    yourself to a group that is either a direct or nested member of the
    administrators groups on all workstations and member servers in the domain.
    Have a look at this for some examples:
    -- http://www.msresource.net/content/view/45/47/


    I'd add a domain local group to the administrators group in each domain and
    add a global to that group and my users into that group, e.g. nest
    EUROPE\Domain Admins into ASIA\Asia Admins.
     
    Paul Williams [MVP], Feb 26, 2007
    #3
  4. But the domain local "Administrators" group does not have some privileges
    that "Domain Admins" do.
    I don't want to have admin privileges over all member servers/workstations,
    instead I'm just trying to give a single group "EUROPE\Directory Service
    Group" domain admins rights over all the domains in the forest.

    These rights should allow them to modify AD Topology/replication,
    view/create/modify existing GPOs, among others..
     
    Diego Galindez, Feb 26, 2007
    #4
  5. You are quite correct, a domain's Administrators group is not
    empowered over AD objects as is its DA group; and that use
    of the DA is problematic except for users of its own domain.
    You need to either look at using delegations to this Euro\DSgroup,
    or at using Enterprise Admin for some things (control AD topology).
    EA has direct grants in places, but may in fact be way too much for
    what you are after. Other things you mention are simply deligated.
    The final alternative is not using accounts from foreign domains
    for DA tasks.
     
    Roger Abell [MVP], Feb 27, 2007
    #5
  6. But the domain local "Administrators" group does not have some privileges
    Domain Admins don't have any special permissions, the group is simply a
    member of administrators on every domain member and the
    builtin\administrators group of the domain. If you've added a group to the
    Administrators group of the EUROPE domain it has the same level of
    permissions over the DCs and AD as the EUROPE\Domain Admins group.

    Then you need to add that group into the Administrators group (of the
    domain) in each domain.

    Yes, this will grant them all that.

    There are security implications here. It should be noted that there should
    be very few people with total control over the forest, so be very careful
    with who's a member of this group. Monitor the membership and use
    restricted groups to enforce the membership of this, and the administrators
    groups.
     
    Paul Williams [MVP], Feb 27, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.