RE: [ActiveDir] enterprise-wide accounts

[Matjaž Ladava]

ï Use restricted groups GPO setting on member servers and prescribe the membership in local Admin groups from other domains.   Regards   Matjaz Ladava MVP Windows server - Directory Services From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Tuesday, April 13, 2004 10:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 13, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] enterprise-wide accounts Weâd like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnât allow logon to all the member servers. How do I best grant âdomain admin-levelâ rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice.   Thanks!   Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do