Re: How to make give cross-domain "Domain Admins" permissions
- From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
- Date: Tue, 27 Feb 2007 07:26:49 -0000
But the domain local "Administrators" group does not have some privileges
that "Domain Admins" do.
Domain Admins don't have any special permissions, the group is simply a
member of administrators on every domain member and the
builtin\administrators group of the domain. If you've added a group to the
Administrators group of the EUROPE domain it has the same level of
permissions over the DCs and AD as the EUROPE\Domain Admins group.
I don't want to have admin privileges over all member
servers/workstations,
instead I'm just trying to give a single group "EUROPE\Directory Service
Group" domain admins rights over all the domains in the forest.
Then you need to add that group into the Administrators group (of the
domain) in each domain.
These rights should allow them to modify AD Topology/replication,
view/create/modify existing GPOs, among others..
Yes, this will grant them all that.
There are security implications here. It should be noted that there should
be very few people with total control over the forest, so be very careful
with who's a member of this group. Monitor the membership and use
restricted groups to enforce the membership of this, and the administrators
groups.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- References:
- Re: How to make give cross-domain "Domain Admins" permissions
- From: Paul Williams [MVP]
- Re: How to make give cross-domain "Domain Admins" permissions
- Prev by Date: Re: Journal Wrap Errors
- Next by Date: Re: Establishing WallPaper
- Previous by thread: Re: How to make give cross-domain "Domain Admins" permissions
- Next by thread: Re: Time Increases 4 mentis every month
- Index(es):
Relevant Pages
|
