Re: Cannot add the domain admins group from another domain to the

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxxx>
• Date: Mon, 26 Jan 2009 07:18:31 -0600

---

Good work.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"study" <study@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:94A1B949-94DD-4CB0-85EC-523234D8700F@xxxxxxxxxxxxxxxx

Thanks.
What I did was I moved the container "users" which contained the "domain
admins" group to the "computers" container than moved it back to its original
location. Then I was able to add the group. Weird...


"Paul Bergson [MVP-DS]" wrote:

Sounds to me like there is some, acl's that are causing the issue. I would
check permissions on a working and failing ou and compare the two for
differences.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"study" <study@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:96976667-D50A-4571-8E35-F706EA083A3C@xxxxxxxxxxxxxxxx
> Thanks.
> I found out that I can add the groups/users from certain OUs and not
> others
> on domain C to domain B's built-in administrator group.
> ex) I can add users/groups from OUs a,b,c,d on doomain C but not from > OUs
> e,f,g,h. If I move the users/groups from ex) OU a to OU e, I can no
> longer
> add those users/groups but if I move them back to OU a, I can.
> Weird hah?
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I would suggest you create a global group in domain C and place the
>> user(s)
>> within this group. I would create a universal group in domain A (Any
>> domain
>> will work) and place the global group created in C into the universal
>> group
>> and place the universal group in the built in group in B. I am making
>> the
>> assumption on your domain and forest functional levels to be at at >> least
>> 2000 Native.
>>
>> -- >> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup >> This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>>
>> "study" <study@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:2958599D-6539-4CB7-8F1C-0DA5B17209CD@xxxxxxxxxxxxxxxx
>> > We have AD 2003 domains A,B, and C.
>> > A is the root and B and C are the child domains.
>> > I'm trying to add the domain admins group from domain C to the >> > built-in
>> > administrators group on domain B's DC. When I add the domain C's
>> > domain
>> > admins group to the built-in administrator's group on domain B's DC >> > and
>> > click
>> > "apply" in ADUC, it says
>> >
>> > "The specified user was not found. If the user exists on another >> > domain
>> > controller in the enterprise, it may take 15 minutes or more for the
>> > user
>> > to
>> > be replicated to the global catalog. "
>> >
>> > Domain B's DC is also a GC by the way.
>> >
>> > I googled and found
>> > "http://support.microsoft.com/kb/276266 = Group Changes for Users >> > with
>> > LDAP-Restricted Characters May Not Work"
>> > But this doesn't apply to my case...
>> >
>> > I'm able to add the domain B's domain admins group to the built-in
>> > administrators group on domain C's DC though.
>>

.

---

• References:
  • Cannot add the domain admins group from another domain to the buil
    • From: study
  • Re: Cannot add the domain admins group from another domain to the buil
    • From: Paul Bergson [MVP-DS]
  • Re: Cannot add the domain admins group from another domain to the
    • From: study
  • Re: Cannot add the domain admins group from another domain to the
    • From: Paul Bergson [MVP-DS]
  • Re: Cannot add the domain admins group from another domain to the
    • From: study

• Prev by Date: Re: Not able to see Universal Groups from a sub domain
• Next by Date: Re: Permissions issues.
• Previous by thread: Re: Cannot add the domain admins group from another domain to the
• Next by thread: sysvol replication breaks when IPSec running between DCs & firewal
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Windows 2003 Pre-authentication failed ... MVP - Directory Services ... 2003, 2000 (Early Achiever), NT ... Please no e-mails, any questions should be posted in the NewsGroup ... (microsoft.public.windows.server.security) Re: SSL LDAP intermittent failure to bind ... MVP - Directory Services ... Please no e-mails, any questions should be posted in the NewsGroup This ... ticket-granting tickets, service tickets, and session keys. ... (microsoft.public.windows.server.active_directory) Re: Old server listed in Sites & Services ... MVP - Directory Services ... 2003, 2000 (Early Achiever), NT ... Please no e-mails, any questions should be posted in the NewsGroup ... (microsoft.public.windows.server.active_directory) Re: MRxSmb and NetBT errors ... MVP - Directory Services ... Please no e-mails, any questions should be posted in the NewsGroup ... where the name of computer, say SRVPRDAPP04, and the Data portion in ... (microsoft.public.windows.server.active_directory) Re: granting admin access to windows services ... MVP - Directory Services ... Please no e-mails, any questions should be posted in the NewsGroup This ... posting is provided "AS IS" with no warranties, ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2009-01