Could you use a Universal Group? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts
What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 13, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] enterprise-wide accounts We'd like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesn't allow logon to all the member servers. How do I best grant "domain admin-level" rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
