Re: Adding user to Child Domain Group

From: Brian Desmond [MVP] (desmondb_at_payton.cps.k12.il.us)
Date: 11/24/04

Next message: ptwilliams: "Re: Determining which machines I've logged on to"
Previous message: Cary Shultz [A.D. MVP]: "Re: Backout from Native Mode"
In reply to: Tony: "Adding user to Child Domain Group"
Next in thread: Tony: "Re: Adding user to Child Domain Group"
Reply: Tony: "Re: Adding user to Child Domain Group"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 24 Nov 2004 17:45:56 -0600

Tony-

The issue here is group scope. Domain Admins is a global group,
Administrators is a Domain Local group. Adding yourself ot the domain
"Administrators" group gives you almost full control - enough to do most day
to day tasks. Others will require a seperate account.

The reason here is that a global group is exposed to any domain that the
group's parent trusts. In an AD forest, you have implicit trust, but, think
of a situation where child.company.com trusts an external domain
widgets.com. Widgets.com has no idea about the company.com domain where
your account is. Thus, when it sees a group containing users from domains
other than child.company.com it has no way to resolve them.

-- 
-- 
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us
http://www.briandesmond.com
"Tony" <tony@spamthis.org> wrote in message
news:udY3a0n0EHA.3468@TK2MSFTNGP14.phx.gbl...
> Hello,
> 1 AD 2003 Forest
> 1 AD 2003 Child Domain in Forest
>
> I'm trying to add my user account from the parent domain into the Domain
> Admins group in the Child Domain but can't. The only option I have is to
add
> a Contact or Other Object. Users, Groups..etc are not an option. I can,
> however, add my user id to the Builtin\Administrators group in the Child
> Domain. I would like to administer both domains from one account. What do
I
> do here?
>
> Thanks,
> Tony
>
>

Next message: ptwilliams: "Re: Determining which machines I've logged on to"
Previous message: Cary Shultz [A.D. MVP]: "Re: Backout from Native Mode"
In reply to: Tony: "Adding user to Child Domain Group"
Next in thread: Tony: "Re: Adding user to Child Domain Group"
Reply: Tony: "Re: Adding user to Child Domain Group"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Password Problem - Server
... We are not sure if this user in in the Domain Admins ... accounts or the Administrator account. ... password on the administrators account has been changed.or I would say ... Open the Local Policy editor and check the ...
(microsoft.public.windows.server.sbs)
Re: Settle a Administrators dispute
... Administrators Local Group on the DC but not in the Domain Admins ... Global Group, the users of the Global Group do not have the same ... restricted groups policy. ...
(microsoft.public.windows.server.active_directory)
Re: Local admin group?
... You are not well served by using Domain Admins for ... use of account that are members in it should be restricted. ... and have this added to the machine local Administrators group. ...
(microsoft.public.win2000.security)
Re: Local admin group?
... No don't remove the domain admins group from the administrators group for ... Create a global group of users to add the local administrators ... > for the purpose of updates but I don't want them to have admin rights on ...
(microsoft.public.win2000.security)
RE: software to control domain administrators
... Some of these tools allow you to give functionality to administrators ... state that it can lock out domain admins, at least no where that I read. ... Is the Administrator account ever restricted? ... them from the permissions of those objects. ...
(Security-Basics)