Re: delegate privileges in another domain in another forest



Not sure what the need is for a Universal Group. This is a forest trust so
they are in seperate forests.

I haven't tried this specific angle but you could try creating a local
domain group and making the members of the other forest members of this
group. Then make this new group part of a restricted group withiin a gpo
and provide that the group is a member of the local admins.

http://technet2.microsoft.com/WindowsServer/en/Library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx?mfr=true

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:O6lOEI9kGHA.1272@xxxxxxxxxxxxxxxxxxxxxxx
Hi

Create Universal Group, make it member of Domain Admins of the domain that
you want to administrate, then make the "others" Domain Admins members of
that U.G.






Active Directory data that is stored in the schema and configuration
containers is replicated to every domain controller in the forest. Since
changes to the schema and configuration containers will affect all domains
in the forest, administrative control for forest-wide changes should be
entrusted to highly trained or experienced administrators. All domain data
contained in the forest root domain should also be regarded as highly
sensitive data.

The following groups provide forest-wide administrative control in each
forest:

. Enterprise Admins

. Domain Admins (in the forest root domain)

. Schema Admins




--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"George" <George@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9437F251-D92E-4EBF-A7A2-B1F75CDA95C5@xxxxxxxxxxxxxxxx
We have two forests with two way external trust enabled and working.

I need to allow our domain admins here to have domain admins privileges
in
the other domain that is in another forest. Since domain admins is a
global
group I cannot add groups from other domains...

How should I do this? How can I add domain admins from the foreign domain
B
to all local admins groups in domain A for all workstations?

Thanks

--
George




.