Re: restricted groups?

From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
Date: Sun, 10 Jul 2005 14:17:50 +0100

> ...but because each domain in a forest is a separate security boundary...

Not quite. The forest is the boundary! Domains are administrative
boundaries, with some (basic) security boundaries. However the absolute
security boundary is the forest. Don't forget this; this is a major thing!

With regards to your question, yes you can use restricted groups to add
these users. However, as Lara stated, you cannot add the domain admins from
one domain into the domain admins of another as they are global groups
(global groups can only contain members from their own domains). You must
either add your domain admins to the administrators group of the other
domain, or use a universal group as Lara suggested. Which way you go
depends on what you want the domain admins to be able to do. I would create
a universal group called forest admins or something, add the users into
this, and add this group into the domain admins of each domain if you want
admins in one domain to administer domain members in another. If you just
want administrative access over the other domain, I would add the domain
admins to the administrators group.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

.

References:
- restricted groups?
  - From: skip
- RE: restricted groups?
  - From: lforbes
- RE: restricted groups?
  - From: skip
- RE: restricted groups?
  - From: lforbes
- RE: restricted groups?
  - From: skip

Prev by Date: Re: can't see domain local groups
Next by Date: RMS Database help
Previous by thread: RE: restricted groups?
Next by thread: Authentication Issues?
Index(es):
- Date
- Thread

Relevant Pages

Re: AD Design
... Within a new domain the domain admins can administer the complete domain, ... If you add them to the Enterprise admins, they are able to administer the complete forest. ... By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. ...
(microsoft.public.windows.server.active_directory)
RE: software to control domain administrators
... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
(Security-Basics)
Re: Settle a Administrators dispute
... Administrators Local Group on the DC but not in the Domain Admins ... Global Group, the users of the Global Group do not have the same ... restricted groups policy. ...
(microsoft.public.windows.server.active_directory)
Re: Active Directory - security boundaries
... It doesn't actually make sense that the forest is the ONLY ... administrators in the internal domain (which is the forest root) will ... wouldn't be able to grant themselves access to resources in the other ... administrators of the standard domain can't grant themselves access to ...
(microsoft.public.windows.server.active_directory)
Re: Local admin group?
... No don't remove the domain admins group from the administrators group for ... Create a global group of users to add the local administrators ... > for the purpose of updates but I don't want them to have admin rights on ...
(microsoft.public.win2000.security)