You should be able to directly add the trusted domain's domain admins group to any workstations you want. As long as the trust lines are there the global groups will nest fine in the workstations builtin administrators group.
Ex: G:\TEMP\schema>lg administrators LG V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2002 USER : FASTMOFO\Administrator GROUP : JOE\Domain Admins GROUP : CHILD1\Domain Admins 3 members listed The command completed successfully. You could do this with startup scripts (through gpo) or through restricted groups (through gpo). joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, December 01, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cross Domain Groups Group, Have you ever added a domain admins group from another forest into the built in administrators groups on your local workstation. We have our forest of nt40 and the parent company has a forest named abc. They both have a two way trust. I started this project by creating a universal group in the nt40 forest and placing the domain admins group from the abc forest into it. I then opened the local permissions on my box and placed the universal group that I created into the local group. It actually worked. Therefore, I know that you can cross global groups as long as you hide them in either a local or universal group (duh). However, I am trying to find a way to automate this process because all workstations in the network need the domain admins group from abc. I have been researching gpo's and haven't found a solution. Have you ran into this problem before? Ideas? Suggestions? Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
