Re: Enterprise Management

anonymous_at_discussions.microsoft.com
Date: 03/30/04 

Date: Tue, 30 Mar 2004 10:23:57 -0800

Security in that a distribution list is not for security
purposes, I guess I read that as a contradictory statement
of using a non-secured group type for security
priviledges. I also like to keep things clean and simple,
when testing the idea of having the adminA account that
can be a full administrative account on the entire domain
(and child domains) was not achievalbe in the manor that I
was origonally seeing on how to do it. It was this that
led to post so that I can make sure that I'm not opening a
security issue or the best practices method between a
distribution group or adding the
childdomain\administrators group to the local admin group
of the systems of the root domain. Hope I didn't ramble
too much with that...
Thanks for all your information sharing.

Michael

>-----Original Message-----
>Defeat the security how? That you put a contact in there?
>What about DLG's? You could use those per the kb right?
>
>
>Al
>
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:14a9a01c414f5$e82972b0$a301280a@phx.gbl...
>> Tyr has a post before mine that seems to be relevant to
my
>> post. The only thing that I'm not sure of with the use
of
>> a universal group in the root that can be added to
>> child\domain admins group is:
>>
>> Distribution Groups
>>
>> Distribution groups have only one function-to create e-
>> mail distribution lists. You use distribution groups
with
>> e-mail applications (such as Microsoft Exchange) to
send e-
>> mail to the members of the group. As with a security
>> group, you can add a contact to a distribution group so
>> that the contact receives e-mail sent to the group.
>>
>> Distribution groups play no role in security (you do not
>> assign permissions to distribution groups), and you
cannot
>> use them to filter Group Policy settings.
>>
>> Doesn't this defeat the security for what I'm looking
for
>> in using a universal group? We are working under 2003
AD
>> environment.
>>
>> Michael
>>
>> >-----Original Message-----
>> >
>> >
>> >I'm interested in what you're trying to say here. Can
>> you reiterate this?
>> >"I can make it happen by
>> >> adding the administrators group of the child into the
>> >> local administrators group so that both the domain
>> >> administrator and administrators groups are on the
local
>> >> machines. "
>> >
>> >"Michael" <mmccamey@bigfoot.com> wrote in message
>> >news:147f301c41469$70a30530$a301280a@phx.gbl...
>> >> I am working on the creation of an AD environment.
We
>> >> will have 2 domains, root.com and child.root.com. I
>> would
>> >> like to use the administration accounts in the root
>> >> (placed in the domain admins and enterprise admins
>> groups
>> >> or root) to be able to have full administator rights
on
>> >> the child domain. The purpose is to a single admin
>> >> account for both root and child. The accounts show
in
>> the
>> >> administrators group of the child so there is some
>> rights
>> >> in the domain. The default groups for servers and
>> >> workstations in the child is the domain admins which
>> these
>> >> root accounts are not apart of. I can make it
happen by
>> >> adding the administrators group of the child into the
>> >> local administrators group so that both the domain
>> >> administrator and administrators groups are on the
local
>> >> machines. Is this the only way to achieve this or is
>> >> there a better way? I wish that I could add the
>> >> enterprise admins group to the domain admins group of
>> the
>> >> child but that is not possible.
>> >>
>> >> Thank you for your time.
>> >> Michael
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages