RE: [ActiveDir] enterprise-wide accounts

[Grillenmeier, Guido]

domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group.   a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong...  The UG to use can either be the Enterprise Admins group or any other UG you assign for the task.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Dienstag, 13. April 2004 22:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 13, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] enterprise-wide accounts We’d like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesn’t allow logon to all the member servers. How do I best grant “domain admin-level” rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice.   Thanks!   Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do