VERY frustrating. please help with group permission problem

Discussion in 'Active Directory' started by Phillip Drummond, Sep 13, 2007.

  1. i need this done today.
    i have 2 domains in different forests (domain1 and domain2). i simply need 1
    account to be domain admins in BOTH domains. i have created the necessary
    account in domain1 and added it to domain admins in domain1. HOW can i make
    this account a domain admin in domain2?

    thank you
    Phillip Drummond, Sep 13, 2007
    1. Advertisements

  2. yes but apparently "adminstrators" is not the same as "domain admins"
    because i too did this and it doesnt work. i still get permission denied
    when i try to make WMI calls from one domian to the other

    so... what now?
    Phillip Drummond, Sep 13, 2007
    1. Advertisements

  3. Phillip Drummond

    jwd Guest

    Domain Admins is a global group so therefore cannot contain accounts from
    other domains.

    What exact permissions do you need to assign this account?

    Best Regards
    Joe Dunn MCSE
    jwd, Sep 13, 2007
  4. i am using Nagios to monitor servers in both domains. this happens via WMI
    calls. the server that is executing the WMI scripts is in domain1, and the
    account the WMI scripts run as is also in domain 1. when i point to a
    machine in domain2 i get permission denied. the only work around i have
    found is to add the account as a local administrator on every server in
    domain2 but this is not practical. so how better could i go about this?
    Phillip Drummond, Sep 14, 2007
  5. Phillip Drummond

    jwd Guest

    You can use Group Policy to add a group to the local administrators group on
    all the servers.

    To do this create a domain local group in domain 2 and add the appropriate
    account domain 1 to this group.

    Then link a new GPO to the OU(s) that contain the servers you wish to
    monitor or edit an existing GPO. In this GPO use the Restricted Group
    setting. Select the local group that you created and make it a 'member of'
    builtin\administrators (make sure you type this rather than selecting using
    the Browse button)

    This will then give your account from domain 1 local administrative rights
    on all the computers this GPO applies to.

    Alternatively instead of creating a domain local group you could just add
    the Domain Admins group from domain 1 to builtin\administrators using the
    same method as above.

    Hope this helps

    Best Regards
    Joe Dunn MCSE
    jwd, Sep 14, 2007
  6. yeah this sounded great but its not working of course. i created the group,
    added the user from domain 1, then added that group to
    builtin\administrators via restricted groups in gpo.... did a gpupdate on
    one of the machines in taht domain and.... NOTHING. the group is not added
    to local admins
    Phillip Drummond, Sep 14, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.