re: External Trust Between Windows 2000 Native Domains (One with 2K servers, and one with 2K3 servers)
- From: rick.kingslan@xxxxxxxxxxxxx
- Date: Wed, 26 Oct 2005 10:37:08 -0700
The Domain Admin gets the rights and privileges that it does mainly from inclusion into a built-in group. That group would be the Built-in Administrators.
Given that you cannot put a member from domain B into a Global group created in domain A, built-in groups are not limited in this way. Put your user into the built-in Administrators group.
Caveat: This is not really the best or preferred practices way to handle this. Likely, one or more of the Security guys here are going to pipe in with you shouldn't do this. And, they are right. Best method is to create a Local Group, assign permissions and rights that are NECESSARY for what you want to do - and nothing more.
However - it is your system. I deliver a solution immediate issue - with the caveat that there are problems that you will face down the road by granting a group this level of access to another domain.
---
Rick [msft]
This posting is provided "AS IS" with no warranties, and confers no rights.
-----Original Message-----
From: Dustin
Posted At: Wednesday, October 26, 2005 7:07 AM
Posted To: microsoft.public.windows.server.active_directory
Conversation: External Trust Between Windows 2000 Native Domains (One with 2K servers, and one with 2K3 servers)
Subject: External Trust Between Windows 2000 Native Domains (One with 2K servers, and one with 2K3 servers)
I have two domains that are each setup with Windows 2000 Native Mode.
One domain contains only servers that are Windows 2000, and the other contains only servers that are Windows 2003. I have established an external, non-forest, non-transitive trust.
I want to take users or group from DomainB (Windows 2003 Servers) and make them Domain Admins in DomainA (Windows 2000 Servers). I have read that I cannot add them to the Domain Admins group, because it is a Global Group. I checked adding them to the Enterprise Admins group, as I have read, and it is also a Global Group, and not a Universal Group.
When I look to add a member to either of these groups, the only domain that is listed is the current domain, no trusted domains are listed.
What can I do?
Thanks,
Dustin A. Dortch
.
- Prev by Date: RE: My documents redirection - is it good idea?
- Next by Date: Re: Win2k - Account Operator not working properly
- Previous by thread: RE: My documents redirection - is it good idea?
- Next by thread: Re: I want users to be able to install programs, but not be admins
- Index(es):
