Re: Trouble with admin access after creating trust.
- From: schmierer2@xxxxxxxxxxxxxxxxxxxxx
- Date: 9 Nov 2006 20:27:00 -0800
Thanks Paul. I'll give this group policy a shot next week.
Just as a side note, you say "If they won't place you in the domain
admins group". Well, (I have an admin account on both domains) it is
not possible to add myself from one domain into the domain admins group
- it simply won't allow me to choose from the other domain when I
browse.
Paul Bergson [MVP-DS] wrote:
This makes sense since on the dc's the administrators group is given full
access.
If they won't place you in the domain admins group, then look at using
restricted groups to place you in the local admins group on all
workstations. We do this to provide our Help Desk local administrative
control.
Under gpo's
computer configuration \ windows settings \ restricted groups
group = your group to be made local admins
member of = BUILTIN\Administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx
There is absolutely nothing that has to be done on the client side.
Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
<schmierer2@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1163024014.956676.299150@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi again Paul.
You're correct, Domain Admins from the 2003 account is in the
Administrator group on the 2000 Domain.
Because I am part of this domain admin group, I am under the impression
that I would have admin access on the 2000 domain - which I do now if I
log onto the Domain controller, but not when I log onto a PC on the
2000 domain. On the PC I can't even access the local disk management
or defragmenter.
This is where my problem is, logically to me and you as you say above,
being a part of the Administrators domain group should give me 'admin'
access on the local PC - which it isn't, and I don't know why.
Perhaps we're still not connecting on our points, can you possibly give
me a step by step instruction on how you would grant domain admins
access from one domain into a trusted domain, so that they can log on
the PCs in the trusted domain and have full access?
Regards,
Owen.
Paul Bergson [MVP-DS] wrote:
You belong to the "Administrators" group, but what does that mean? You
are
provided acess to security that the Administrators have been given access
to, that doesn't mean you are logged on as an administrator.
Look at something that you are trying to gain access to and see if the
Administrators group has been provided access to it.
Take a couple of minutes and read the below, I think you will better
understand my point.
http://www.microsoft.com/technet/technetmag/issues/2006/03/WindowsConfidential/default.aspx
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
<schmierer2@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1162945845.056520.57110@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
My apologies, it's still not giving me administrator access, I was
logged onto the wrong domain.
Situation still exists - on the 2000 domain, I log on with an account
from the 2003 domain yet I recieve no admin permissions.
I have added Domain Admins from the 2003 domain into the builtin
Administrators group on the 2000 Domain.
schmierer2@xxxxxxxxxxxxxxxxxxxxx wrote:
I'm not talking about the local group on the PC. I'm talking about
the
domain group called Administrators, which is a local built in group.
I
added the domain admins group from the 2003 domain to it (on the 2000
domain) but it wouldn't work.
Weird thing though, come in today and it is working. Nothing has
changed...but I don't see how it would need 2 days to replicate
permissions or whatever it does.
Paul Bergson [MVP-DS] wrote:
You should have local admin access on the local machine, but you
won;t
have
any special privleges at all in the domain.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
<schmierer2@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1162851813.710255.278010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Paul. I actually want domain access in the 2000 domain,
with
an
account from the 2003 domain. I did add my domain 2003 admin
account
into the 2000 local administrator group, but when I log on the
2000
domain with that account I don't get admin access.
I can't do what you said though because the domain admin group
won't
allow users/groups to be added from another domain, which is why I
needed to add it to the administrators local group.
Cheers,
Owen.
Paul Bergson [MVP-DS] wrote:
You don't by default have admin credentials in this domain, they
have to
be
added. Have the admin from the 2000 domain add your 2003 id in
to
the
domain admins group.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and confers
no
rights.
<schmierer2@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1162772138.516628.315630@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi guys. I'm sure there is something simple that I'm not doing
properly but I'm looking for some help.
I've created a trust (two way) from a 2003 domain to a 2000
domain
and
the trust works fine. I can log on the 2000 domain with an
account
from my 2003 domain no problem. I have added an admin global
group
from the 2003 domain into the local Administrators group on the
2000
domain... my problem is that when I log onto the 2000 domain
with
an
account from the 2003 domain then I don't have admin access.
Am I doing something wrong?
Thanks very much,
Owen.
.
- References:
- Trouble with admin access after creating trust.
- From: schmierer2
- Re: Trouble with admin access after creating trust.
- From: Paul Bergson [MVP-DS]
- Re: Trouble with admin access after creating trust.
- From: schmierer2
- Re: Trouble with admin access after creating trust.
- From: Paul Bergson [MVP-DS]
- Re: Trouble with admin access after creating trust.
- From: schmierer2
- Re: Trouble with admin access after creating trust.
- From: schmierer2
- Re: Trouble with admin access after creating trust.
- From: Paul Bergson [MVP-DS]
- Re: Trouble with admin access after creating trust.
- From: schmierer2
- Re: Trouble with admin access after creating trust.
- From: Paul Bergson [MVP-DS]
- Trouble with admin access after creating trust.
- Prev by Date: Re: .zap file doesn't install the app
- Next by Date: Re: From Workgroup to Domain
- Previous by thread: Re: Trouble with admin access after creating trust.
- Next by thread: Find.."User member of.."..failed..
- Index(es):
Relevant Pages
|
