Re: delegate privileges in another domain in another forest



Not sure what the need is for a Universal Group. This is a forest trust so
they are in seperate forests.

I haven't tried this specific angle but you could try creating a local
domain group and making the members of the other forest members of this
group. Then make this new group part of a restricted group withiin a gpo
and provide that the group is a member of the local admins.

http://technet2.microsoft.com/WindowsServer/en/Library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx?mfr=true

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:O6lOEI9kGHA.1272@xxxxxxxxxxxxxxxxxxxxxxx
Hi

Create Universal Group, make it member of Domain Admins of the domain that
you want to administrate, then make the "others" Domain Admins members of
that U.G.






Active Directory data that is stored in the schema and configuration
containers is replicated to every domain controller in the forest. Since
changes to the schema and configuration containers will affect all domains
in the forest, administrative control for forest-wide changes should be
entrusted to highly trained or experienced administrators. All domain data
contained in the forest root domain should also be regarded as highly
sensitive data.

The following groups provide forest-wide administrative control in each
forest:

. Enterprise Admins

. Domain Admins (in the forest root domain)

. Schema Admins




--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"George" <George@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9437F251-D92E-4EBF-A7A2-B1F75CDA95C5@xxxxxxxxxxxxxxxx
We have two forests with two way external trust enabled and working.

I need to allow our domain admins here to have domain admins privileges
in
the other domain that is in another forest. Since domain admins is a
global
group I cannot add groups from other domains...

How should I do this? How can I add domain admins from the foreign domain
B
to all local admins groups in domain A for all workstations?

Thanks

--
George




.



Relevant Pages

  • RE: Active Directory network security
    ... >Subject: RE: Active Directory network security ... >X-Mailer: Microsoft Outlook, Build 10.0.2627 ... In fact the only true security boundary in AD is a forest. ... >Domain Admins must be fully trusted. ...
    (Focus-Microsoft)
  • Re: Domain Admins rights....
    ... > Do you have reference to any documentation on this subject? ... It's not that well documented as it's a security hole;-) I'm ... > By "DC's" I am assuming your are referencing the Forest level DC's? ... One fear they have in sense of control is Domain Admins and their ability to ...
    (microsoft.public.windows.server.active_directory)
  • Re: delegate privileges in another domain in another forest
    ... make it member of Domain Admins of the domain that ... you want to administrate, then make the "others" Domain Admins members of ... containers is replicated to every domain controller in the forest. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Role based permissions
    ... You may want to look at the Active Directory Delegation whitepaper. ... The DAs should be a single group for the entire forest who are responsible for the core functioning of the entire forest - i.e. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Our sys admins have been assigning way too many people the Domain Admins group and we need to create a more sane subset of role based administrative groups. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to prevent changes from root of forest
    ... The root domain contains the Enterprise ... Admins group and while you could remove this group from your Domain Admins ... The Active Directory structure relies on all domain admins in every ... > I recently joined a forest as a domain tree, ...
    (microsoft.public.windows.server.active_directory)