Re: Forest Trusts

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 07/21/04 

Date: Wed, 21 Jul 2004 07:01:20 -0400

In news:ekHF9kwbEHA.1048@tk2msftngp13.phx.gbl,
Eric A. Weintraub <eric-ng-ms@scriptlogic.com> asked for help and I offered
my suggestions below:
> I dont have a one way trust configured and it does show as "Forest" as
> the type.
>
> I can put my Enterprise Admins from Forest 1 into the members for
> Forest2\Domain2\Bulitin\Administrators (or any other normal group) but
> it seems that Enterprise Admins, Domain Admins are protected some how
> agenst out of domain / forest user accounts. And if this is the case
> can that be changed?
>
> Thank you,
>

I think its Domain Admin (domain level groups) limited, IIRC. I would have
to set this up to test it. I have one client setup with a Forest trust, but
would need to get to his system to check it out. AFAICS, it's restricted to
domain level groups.

I'm assuming all domains are at full functional level? 

-- 
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
-- 
=================================

Relevant Pages

  • Re: isolating a subdomain in AD
    ... Can a Domain Admin become a Enterprise Admin within a Forest ... http://www.chrisse.se - Active Directory Resources ... >single domain within a forest from the Enterprise Admins. ... >>I have been asked to compleatly isolate a subdomain in AD. ...
    (microsoft.public.windows.server.active_directory)
  • Re: isolating a subdomain in AD
    ... EVERY domain admin in the forest can take over control, ... > (Enterprise Admins are owners within the forest and can always take ...
    (microsoft.public.windows.server.active_directory)
  • Re: One domain admin for multiple domains
    ... If you're dealing with 2 separate forests, then you can create a trust ... The forest container is a security boundary in both 2000 and 2003 though, ... Membership in the Enterprise Admins group should be ...
    (microsoft.public.win2000.security)
  • Re: How to block off Enterprise Admin in a different tree but same forest?
    ... I've read about blocking EAs from child domains (in a book by authors whom I ... completely trust) and they didn't mention any repercussions other than the ... >> This can really break the ability to accomplish forest wide maintenance. ... >>> Enterprise Admins you need new Enterprise Admins. ...
    (microsoft.public.win2000.active_directory)