Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Add Users to DomainADM Grup in other domain - WP
Add Users to DomainADM Grup in other domain - WP [message #157590] Thu, 09 July 2009 09:10 Go to next message
WildPacket  is currently offline WildPacket
Messages: 130
Registered: July 2009
Senior Member
Single forest, multi-domain environment (domain A and B), is there a
way to add a user/group from domain B to domain A's domain admins group?

It seems the domain admins group in Domain A only accepts contacts or other
objects and not users or groups if adding objects from another domain.

Advise Please.

Thanks,
Re: Add Users to DomainADM Grup in other domain - WP [message #157594 is a reply to message #157590] Thu, 09 July 2009 10:01 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"WildPacket" <WildPacket@discussions.microsoft.com> wrote in message news:7ACF7C9C-5138-4859-8FB2-6944EFD903FA@microsoft.com...
>
> Single forest, multi-domain environment (domain A and B), is there a
> way to add a user/group from domain B to domain A's domain admins group?
>
> It seems the domain admins group in Domain A only accepts contacts or other
> objects and not users or groups if adding objects from another domain.
>
> Advise Please.
>
> Thanks,
>


Basic rule is:
AGDULP
Accounts, Global, Universal, Domain Local, Permissions

Add Accounts to a Global Group, then add them to a Universal group, then add the universal to a Local Group, then apply Permissions to the Local Group.

The basic key to it is Group Nesting and the rules behind it. The idea is to add a Local Group to a resource, and apply permissions, then add users or groups (no matter from where in the forest) to the Local group. I mean not everyone follows it, however when going from one domain to another, you will need to.

With Global Groups, you can only add objects from it's own domain. For domain to domain permissions, you can add the Domain Admin group from Domain "A" to the Local Administrators group in "B." You can also directly add user from A to B's Local Groups, too, but you can't add Global Groups from one domain to another.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Re: Add Users to DomainADM Grup in other domain - WP [message #157595 is a reply to message #157594] Thu, 09 July 2009 10:29 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
In news:7ACF7C9C-5138-4859-8FB2-6944EFD903FA@microsoft.com,
>
> Basic rule is:
> AGDULP
> Accounts, Global, Universal, Domain Local, Permissions

Typo - Should have read as: AGUDLP.
Re: Add Users to DomainADM Grup in other domain - WP [message #157625 is a reply to message #157590] Thu, 09 July 2009 23:59 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello WildPacket,

See here aboput using group scopes:
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Single forest, multi-domain environment (domain A and B), is there a
> way to add a user/group from domain B to domain A's domain admins
> group?
>
> It seems the domain admins group in Domain A only accepts contacts or
> other objects and not users or groups if adding objects from another
> domain.
>
> Advise Please.
>
> Thanks,
>
Re: Add Users to DomainADM Grup in other domain - WP [message #157643 is a reply to message #157594] Fri, 10 July 2009 08:24 Go to previous messageGo to next message
WildPacket  is currently offline WildPacket
Messages: 130
Registered: July 2009
Senior Member
Thanks Ace. It helped.





"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "WildPacket" <WildPacket@discussions.microsoft.com> wrote in message news:7ACF7C9C-5138-4859-8FB2-6944EFD903FA@microsoft.com...
> >
> > Single forest, multi-domain environment (domain A and B), is there a
> > way to add a user/group from domain B to domain A's domain admins group?
> >
> > It seems the domain admins group in Domain A only accepts contacts or other
> > objects and not users or groups if adding objects from another domain.
> >
> > Advise Please.
> >
> > Thanks,
> >
>
>
> Basic rule is:
> AGDULP
> Accounts, Global, Universal, Domain Local, Permissions
>
> Add Accounts to a Global Group, then add them to a Universal group, then add the universal to a Local Group, then apply Permissions to the Local Group.
>
> The basic key to it is Group Nesting and the rules behind it. The idea is to add a Local Group to a resource, and apply permissions, then add users or groups (no matter from where in the forest) to the Local group. I mean not everyone follows it, however when going from one domain to another, you will need to.
>
> With Global Groups, you can only add objects from it's own domain. For domain to domain permissions, you can add the Domain Admin group from Domain "A" to the Local Administrators group in "B." You can also directly add user from A to B's Local Groups, too, but you can't add Global Groups from one domain to another.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
>
Re: Add Users to DomainADM Grup in other domain - WP [message #157645 is a reply to message #157643] Fri, 10 July 2009 08:33 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"WildPacket" <WildPacket@discussions.microsoft.com> wrote in message news:AEC24540-FD78-44A4-A1D7-1D0EAE3E82A1@microsoft.com...
> Thanks Ace. It helped.

Good to hear!

Ace
Previous Topic:Netbios name displayed instead of the FQDN name in DHCP console ?
Next Topic:AzMan/ADAM store permissions
Goto Forum:
  


Current Time: Tue Jan 16 10:40:05 MST 2018

Total time taken to generate the page: 0.07200 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software