Re: Single User/Multiple Domain Authority Delegation
- From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
- Date: Sun, 2 Mar 2008 21:29:33 -0800
Well, perhaps someone has changed some of the relevant group memberships from the defaults.
For example, by default, Enterprise Admins and Domain Admins are members of the Administrators group in each domain. By virtue of being members of Administrtors group, both of these groups would normally be able to logon and administer any domain.
But, by default, Enterprise Admins is NOT a member of Domain Admins in any domain.
Unless someone has changed things, members of the Administrators group on Domain Controllers have the rights required to logon to the Domain Controller remotely. However, this could be changed also.
I suggest checking which groups the "sysadmins" user accounts are actually members of and what, if any changes ahve been made to Local Security Policies or the GPO equivalent for the Domain Controllers in each domain.
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"sar881" <sar881@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:72CAA29B-9A46-4AF1-AB80-1B229B03AF6C@xxxxxxxxxxxxxxxx
Our sysadmins administer using Remote Desktop to logon to each domain through
each individual DC. When the 'useradmin' account is granted EnterpriseAdmin
access, the user is unable to logon to the individual domains.
"Meinolf Weber" wrote:
Hello sar881,
Add them to the "enterprise admins" group, it's made for that.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> I currently have 4 sysadmins that oversee 4 domains in the same
> forest. As it stands, each domain has a single Domain Admin account
> that all four will use to sign in to the respective domains. For
> auditing and security purposes, I was looking to assign each sysadmin
> their own single 'admin' account that they can use to log on to and
> administer all four domains.
>
> So far I have tried:
> 1)Creating each account in a child domain and granting cross domain
> administrative access to each account. This did not work
> 2)Creating an account at the forest controller and granting child
> domain
> administrative access. This did not work either.
> Is it possible to accomplish what I trying to do?
>
.
- Prev by Date: Re: Operaton Master Roles with GC
- Next by Date: Re: Install ADAM SP1 afer Windows 2003 SP2?
- Previous by thread: Change documentation
- Next by thread: Re: Install ADAM SP1 afer Windows 2003 SP2?
- Index(es):
Relevant Pages
|
Loading
