RE: [ActiveDir] How to make a user member of Built in Administrat or group

[Jorge de Almeida Pinto]

FIRST: You can use restricted groups in a GPO. However in that is in the forest root domain then members of the builtin administrators have control  over the enterprise administrators group.   SECOND: If a user is a member of one of the builtin groups (ent admins, dom admins, builtin admins) there is no way to restrict access to other activities   I'm not sure if I understand what you want with "Actually, my requirement is I want to create a trust from one forest to all the domain controller in the other forest. Without the Enterprise admin credential."   Are you saying: * I have a user in forest 1 and I want that user to be an admin of all resources in forest 2? If yes, you could add that user to the builtin administrators of forest 2. It is not possible to add the user from forest 1 to the domain admins or enterprise admins group of forest 2. However if you want to add the user from forest1 to the builtin administrators of forest2, be carefull because if forest1 gets compromised and that user is misused then it is also possuble to comprimise forest2 To mitigate this risk create a user account in forest2, assign appropriate admins permissions and use the RUNAS option from a workstation in forest 1   Cheers, #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Tuesday, May 03, 2005 14:47 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to make a user member of Built in Administrator group Hi,   I want to make one user the member of Build in administrator group of all the domain within the forest, with out making the user of Enterprise admin.   Or,   Say, I have made the user member of Enterprise admin. Then how to deny that user to perform any AD related activities.     Actually, my requirement is I want to create a trust from one forest to all the domain controller in the other forest. Without the Enterprise admin credential.       Thanks, Manjeet This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.