RE: [ActiveDir] Domain Admins Group Membership

Mon, 27 Jun 2005 10:56:18 -0700 

We create a domain local group in Domain A and then use either a startup
script (net add) or the GPO setting for restricted groups to add that group
into the local admin group on every machine.  In cases where cross domain
admin access is needed a group is created in Domain B, added to the domain
local group in Domain A and they get the rights needed.  Generally we do
this on an OU basis as well to provide admin rights in each OU.

We tend to use the script here because the Restricted Group option in 2000
allowed you to define the local admin group rather then just adding to it.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|---------+---------------------------------->
|         |           "Ibarra, Juan"         |
|         |           <[EMAIL PROTECTED]>  |
|         |           Sent by:               |
|         |           [EMAIL PROTECTED]|
|         |           tivedir.org            |
|         |                                  |
|         |                                  |
|         |           06/27/2005 10:25 AM MST|
|         |           Please respond to      |
|         |           ActiveDir              |
|---------+---------------------------------->
  
>------------------------------------------------------------------------------------------------------------------------------|
  |                                                                             
                                                 |
  |       To:       <[email protected]>                              
                                                 |
  |       cc:       (bcc: James Day/Contractor/NPS)                             
                                                 |
  |       Subject:  RE: [ActiveDir] Domain Admins Group Membership              
                                                 |
  
>------------------------------------------------------------------------------------------------------------------------------|




Jorge, I am trying to give several users on Domain B Admin rights on
Domain A so that they can get full access to the servers.  I am trying
to avoid giving them local admin access to everyone on every server.

Juan

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, June 27, 2005 10:02 AM
To: [email protected]; [email protected]
Subject: RE: [ActiveDir] Domain Admins Group Membership

that is what I'm asking... what do you want to do? what are your
thoughts?

Cheers,
#JORGE#

________________________________

From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 7:00 PM
To: [email protected]
Subject: RE: [ActiveDir] Domain Admins Group Membership



Does any one have an idea on how else to accomplish this?

Thanks,
Juan

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, June 27, 2005 8:39 AM
To: [email protected]; [email protected]
Subject: RE: [ActiveDir] Domain Admins Group Membership

the way you want to do it can not be accomplished! Why?

The domain admins group is a global security group and global (security)

groups can only have members from its own domain and not from other
domains. By design

What are you trying to accomplish?

Cheers,
#JORGE#

________________________________

From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 5:32 PM
To: [email protected]
Subject: [ActiveDir] Domain Admins Group Membership



Hi,

I need to add certain users from domain B, Win 2000 Domain, to the
Domain Admins group of Domain A, Windows 2003 Domain.  There is a two
way trust between the two domains; however, I don't seem to find the way

to do this.  I am able to add users to shares but not the group.


How could I accomplish this?

Thanks,

Juan



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to