Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Cross Domain privialges for Domain Admins
Cross Domain privialges for Domain Admins [message #160908] Thu, 10 September 2009 08:56 Go to next message
dr_Lester  is currently offline dr_Lester  United States
Messages: 2
Registered: September 2009
Junior Member
Hello, i'm searching how to domains admins have the same right on other
domain.

the architecture are :
Dom1= 1 forest and 1 domain ( functionnal level forest and domain are
2003 )
Dom2= 1 forest and 1 domain ( functionnal level forest and domain are
2003 )
i have created trust forest relation ship
DNS configuration : forwader by domain
Actually, my domain admins in dom1 are administrators in dom2.

i have see in another post:
http://forums.techarena.in/active-directory/1195414.htm#post 4607042
this solution :
>
> Create a global group in domain 1 and place the user account(domain
> admin)
> within this group. Then create a universal group in domain 2 and place
> the
> global group created in domain 1 into the universal group and place the
> universal
> group in the domain admin group in domain 2.
>

But in dom2 universal group i don't see the dom1 global group.

Thank


--
dr_Lester
------------------------------------------------------------ ------------
dr_Lester's Profile: http://forums.techarena.in/members/133726.htm
View this thread: http://forums.techarena.in/active-directory/1244647.htm

http://forums.techarena.in
Re: Cross Domain privialges for Domain Admins [message #160912 is a reply to message #160908] Thu, 10 September 2009 09:35 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"dr_Lester" <dr_Lester.3yaznb@DoNotSpam.com> wrote in message
news:dr_Lester.3yaznb@DoNotSpam.com...
>
> Hello, i'm searching how to domains admins have the same right on other
> domain.
>
> the architecture are :
> Dom1= 1 forest and 1 domain ( functionnal level forest and domain are
> 2003 )
> Dom2= 1 forest and 1 domain ( functionnal level forest and domain are
> 2003 )
> i have created trust forest relation ship
> DNS configuration : forwader by domain
> Actually, my domain admins in dom1 are administrators in dom2.
>
> i have see in another post:
> http://forums.techarena.in/active-directory/1195414.htm#post 4607042
> this solution :
>>
>> Create a global group in domain 1 and place the user account(domain
>> admin)
>> within this group. Then create a universal group in domain 2 and place
>> the
>> global group created in domain 1 into the universal group and place the
>> universal
>> group in the domain admin group in domain 2.
>>
>
> But in dom2 universal group i don't see the dom1 global group.
>
> Thank
>
>
> --
> dr_Lester
> ------------------------------------------------------------ ------------
> dr_Lester's Profile: http://forums.techarena.in/members/133726.htm
> View this thread: http://forums.techarena.in/active-directory/1244647.htm
>
> http://forums.techarena.in
>


Thank you for starting a new thread and for providing information regarding
your infrastructure and scenario.

The link you referenced is for two domains in the same forest, which is why
it is not working for you with a trust.

The basic idea behind a forest trust to allow cross-forest (not domain)
privledges, is basically:

Add ForestB's Root Domain Administrator account to the local Admininstrators
group in ForestA's Root domain.
Add ForestA's Root Domain Administrator account to the local Admininstrators
group in ForestB's Root domain.

That will allow ForestA's administrator to adminster ForestB and ForestB's
administrator to administer ForestA.

As for Universal and Global groups, you can add them across the forest trust
and would be needed to be added to a local group on the other side of the
trust.

So if you create a Local Group (not global or Universal) in ForestA, a
called Accounting, you can add the Accounting Universal Group from ForestB
into ForestA's Local Accounting Group.

Then in ForestA, you can add users or global groups from any domain in
ForestA's forest to the Local Accounting Group, then add the Local
Accounting Group to a resource (such as a folder in the domain it was
created.

Basically we want to follow this guideline:
AGGUUDLP

Add users into a Global Group, which you can nest into another Global Group,
which you can add into a Universal Group, which can be nested into another
Universal Group, whcih is then added to a Domain Local Group, which is added
to the ACL of a resource and permissions applied appropriately.

I hope that helps.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Previous Topic:Need help!!
Next Topic:same machine as iis & sql server
Goto Forum:
  


Current Time: Tue Jan 16 10:42:12 MST 2018

Total time taken to generate the page: 0.03818 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software