Re: Trusts

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

anonymous_at_discussions.microsoft.com
Date: 05/11/04 

Date: Tue, 11 May 2004 07:02:25 -0700

I use an application on the NT40 domain that needs Domain
admin rights. This same user on the NT40 domain (we'll
call it ADMIN01) needs domain admin rights on the WIndows
2000 domain. I cannot set up another user cause the
application can only use one main domain admin account.

Is this possible?

>-----Original Message-----
>You can't only trust one user, once you establish the
trust it applies to the
>entire domain, anything that isn't properly secured (i.e.
anything that doesn't
>have a specific group for it instead of everyone or
authenticated users, etc)
>will be open to everyone in that domain.
>
>Also Domain Users is a global group. A global group can
only have users from the
>domain the group exists in. I.E. If I have a domain
called DomX, I can only put
>users from DomX into Domx\Domain Admins.
>
>The way you need to do this is set up the user with a
userid in the 2K domain.
>Being a domain admin, that user should easily be able to
understand how to use
>that ID without a trust.
>
> joe
>
>
>--
>Joe Richards Microsoft MVP Windows Server Directory
Services
>www.joeware.net
>
>
>
>LarryP wrote:
>> I have a Windows 2000 domain running AD and a NT40
domain.
>>
>> As the Windows 2000 domain, I want to be able to trust
>> only one user from the NT40 domain and add him to the
>> Domain Admins group on the Windows 2000 domain.
>>
>> On the NT40 domain I added the 2000 domain as a
TrustING
>> domain. And on the Windows 2000 domain I added the
NT40
>> domain under TRUSTED domain.
>>
>> When I got to the Windows 2000 domain (AD users and
>> Computers), I am able to add the user to the Builtin
>> Administrators group, however when I go to the
properties
>> of Domain Admins under USERS, I am unable to see my
NT40
>> Domain to add the NT40user. Why?
>.
>

Relevant Pages

  • Windows 2003 Server Dilema
    ... After moving all of the files from the original server (Windows 2000), ... When a domain admin logs on to the system, ...
    (microsoft.public.windows.server.general)
  • AD domain management
    ... Domain A is Windows 2000 with Active Directory. ... Domains and Trusts", I see that the converted trust is an "external, ... I currently log onto a machine in Domain A under my personal account (which ... Domain A's "Domain Admin" is a member of domain B's "Administrator ...
    (microsoft.public.win2000.active_directory)
  • Re: You Have Exceeded the Maximum Number of Computer Accounts
    ... > The MSKB article 314462 discusses the problem: "You Have> Exceeded the Maximum Number of Computer Accounts" Error> Message When You Try to Join a Windows XP Computer to a> Windows 2000 Domain. ... Why would I ever want non-admins to be> able to join computers to the domain? ... For this one OU I want a non domain admin to be able to> add as many computers to the domain as required. ...
    (microsoft.public.windows.server.general)
  • Re: domain admin account locked out
    ... Microsoft MVP [Windows] ... I did another scour through the Security log on the domain ... | account as a success audit. ... | as logging in but it couldn't because the account (domain admin) was ...
    (microsoft.public.windows.server.general)
  • Re: Trusts
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... > I use an application on the NT40 domain that needs Domain ... > call it ADMIN01) needs domain admin rights on the WIndows ... >>You can't only trust one user, ...
    (microsoft.public.win2000.active_directory)