RE: [ActiveDir] enterprise-wide accounts
you can only change the groups on those machines, to which the GPOs apply. If you apply a restricted groups GPO to an OU and try to add members to the Ent.Admin. group, you'll fail, as this group is maintained by the root DCs only. And I would never advise you to use the restricted groups policy on your DCs themselves - it's definitely geared to be used for members/clients of a domain. Even though you can't browse the groups of the member-machines, you can just type their names (which is ugly in an multi-language environment...). When using the MemberOf option, you'd e.g. add the "forestroot\Enterprise Admins" group to the restricted groups list and then add the names of the local machine-group, i.e. "Administrators" to the MemberOf tab = this will ensure, that the Enterprise Admins are members of the Adminsitrators group on every machine in that OU. At the same time, the other members of the Adminstrators group remain in this group as well. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Mittwoch, 21. April 2004 16:55To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts Guido, et alI have tried this in my test domain I applied the GPO to the OU where my servers are, as well as an OU I created where my workstations are. The group I added is the Enterprise Admins group. Now I think I just need some clarification on the members and member of settings. First, re: Memberssince this GPO applies to the specific OU, is this saying that only the accounts that I place in members on this Enterprise Admins group object will in fact be Enterprise Admins, and that they will only be Enterprise Admins with respect to this OU? That seems weird, but otherwise, why would this members option be included in the GPO? Second, re: Members Of. If my goal is to make the Enterprise Admins members of the Local Administrators group on the machines in the OU, but the only objects I can choose from are domain objects (not the local objects) what group do I choose to make this happen? Third, why do the Members and Members Of options say This group should contain no members and The groups to which this group belongs should not be modified respectively, even though it will let me do either or both? Sorry for the lengthy query Im just confused (can you tell??) J Thanks for your help on this issue! mc -Original Message-From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
OK, thanks Guido. That helps a lot. Back to the lab! mc -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 2:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts you can only change the groups on those machines, to which the GPOs apply. If you apply a restricted groups GPO to an OU and try to add members to the Ent.Admin. group, you'll fail, as this group is maintained by the root DCs only. And I would never advise you to use the restricted groups policy on your DCs themselves - it's definitely geared to be used for members/clients of a domain. Even though you can't browse the groups of the member-machines, you can just type their names (which is ugly in an multi-language environment...). When using the MemberOf option, you'd e.g. add the forestroot\Enterprise Admins group to the restricted groups list and then add the names of the local machine-group, i.e. Administrators to the MemberOf tab = this will ensure, that the Enterprise Admins are members of the Adminsitrators group on every machine in that OU. At the same time, the other members of the Adminstrators group remain in this group as well. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Mittwoch, 21. April 2004 16:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts Guido, et alI have tried this in my test domain I applied the GPO to the OU where my servers are, as well as an OU I created where my workstations are. The group I added is the Enterprise Admins group. Now I think I just need some clarification on the members and member of settings. First, re: Memberssince this GPO applies to the specific OU, is this saying that only the accounts that I place in members on this Enterprise Admins group object will in fact be Enterprise Admins, and that they will only be Enterprise Admins with respect to this OU? That seems weird, but otherwise, why would this members option be included in the GPO? Second, re: Members Of. If my goal is to make the Enterprise Admins members of the Local Administrators group on the machines in the OU, but the only objects I can choose from are domain objects (not the local objects) what group do I choose to make this happen? Third, why do the Members and Members Of options say This group should contain no members and The groups to which this group belongs should not be modified respectively, even though it will let me do either or both? Sorry for the lengthy query Im just confused (can you tell??) J Thanks for your help on this issue! mc -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 5:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Dienstag, 13. April 2004 22:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 13, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
Thanks for correcting me on this. I would much rather use restricted groups than have the script I run everytime the machine is booted up. Mike From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 8:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts Mike, the functionality recently changed, that was a subject of a conversation on this list. Many of us were quite happily surprised to learn of the change. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? not if you have Win2k SP4 or Win2k3 and use the "MemberOf" option of the restricted groups. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike CeloneSent: Mittwoch, 14. April 2004 00:07To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts Alternatively you can do what we do here. We have a startup script that runs from a GPO that adds a group to the local administrators group everytime the machine is started up. The script looks like this net localgroup administrators /add "domain\admins" Just create a UG for all theadmins and add them to it, then when the servers are rebooted add this script will run and add the group to the machine's local administrator group. If you can't wait for the servers to be rebooted you can create a script that will read the servers in line by line and add this group to their local administrators group. Don't get me wrong Guido's solution will work also but won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts We'd like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesn't allow logon to all the member servers. How do I best grant "domain admin-level" rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
Could you use a Universal Group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 13, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] enterprise-wide accounts We'd like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesn't allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] enterprise-wide accounts
domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
Alternatively you can do what we do here. We have a startup script that runs from a GPO that adds a group to the local administrators group everytime the machine is started up. The script looks like this net localgroup administrators /add "domain\admins" Just create a UG for all theadmins and add them to it, then when the servers are rebooted add this script will run and add the group to the machine's local administrator group. If you can't wait for the servers to be rebooted you can create a script that will read the servers in line by line and add this group to their local administrators group. Don't get me wrong Guido's solution will work also but won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
Use restricted groups GPO settingon member servers and prescribe the membership in local Admin groups from other domains. Regards Matjaz Ladava MVP Windows server - Directory Services From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Tuesday, April 13, 2004 10:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? not if you have Win2k SP4 or Win2k3 and use the "MemberOf" option of the restricted groups. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike CeloneSent: Mittwoch, 14. April 2004 00:07To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts Alternatively you can do what we do here. We have a startup script that runs from a GPO that adds a group to the local administrators group everytime the machine is started up. The script looks like this net localgroup administrators /add "domain\admins" Just create a UG for all theadmins and add them to it, then when the servers are rebooted add this script will run and add the group to the machine's local administrator group. If you can't wait for the servers to be rebooted you can create a script that will read the servers in line by line and add this group to their local administrators group. Don't get me wrong Guido's solution will work also but won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
Mike, the functionality recently changed, that was a subject of a conversation on this list. Many of us were quite happily surprised to learn of the change. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? not if you have Win2k SP4 or Win2k3 and use the "MemberOf" option of the restricted groups. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike CeloneSent: Mittwoch, 14. April 2004 00:07To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts Alternatively you can do what we do here. We have a startup script that runs from a GPO that adds a group to the local administrators group everytime the machine is started up. The script looks like this net localgroup administrators /add "domain\admins" Just create a UG for all theadmins and add them to it, then when the servers are rebooted add this script will run and add the group to the machine's local administrator group. If you can't wait for the servers to be rebooted you can create a script that will read the servers in line by line and add this group to their local administrators group. Don't get me wrong Guido's solution will work also but won't Restricted groups remove any groups that are in the administrators group now except for the ones you specify? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group. a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.Sent: Dienstag, 13. April 2004 22:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide accounts What about adding them to each domain admins group for each domain? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] enterprise-wide accounts
You can notadd (haven't tried to hack this, probably is hard coded functionality) foreignusers to the domain admin groupof adomain, they must exist in the same domain - domain admins is a global group, standard rules apply. The best would be administrators group membershipwhich, unlike NT4, is not the same as domain admins in terms of Windows 2000+ Domain objects. The delta in Windows 2000+ is that many AD objects have different permissions set specifically to domain admins and being an administrator on a domain controller does not give access to those objects. Additionally nothing is (actually I have to say "should be" due to some "bugs") permissioned in the forest wide partitions to "administrators" because they don't have domain affinity like domain admins do. I.E. If you have an object in the config container with permissions set to administrators group, it means administrators in any domain.Say you want to give rights in the config container to administrators in Domain 1, by default, those permissions apply to every administrator of every domain in the forest. The SID for administrators has no domain context, it is a well known SID that is the same everywhere - S-1-5-32-544. The general practice for domain controller permissions would be to create your "god" level IDs in your root domain or other main domain, then add those IDs to every administrators group on every domain. Then also create IDs in each domain for the admins and add those to the domain admins groups of the respective domain. You would normally be able to use the one ID to do most work, but if you needed to modify something that required domain admins rights, you would switch to the local domain admin ID. What is example of something a domain admin can do but an administrator can't in AD... How about delete Subtrees. Also no delete of child objects however you tend to pick that back up due to default SDs. Default DC and Default Domain policy objectsdon't have Administrators in the ACL. An alternative would be to create a new universal group and update AD permissions to match the domain admins group for that universal group. You would still have to populate workstations and servers as well so this isn't buying a whole ton, definitely not worth the skull sweat to do. Of course if the goal isn't full perms over AD Objects, but instead Domain member servers/workstations, the previously mentioned GPO method is the way to go. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, April 13, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide accounts Wed like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesnt allow logon to all the member servers. How do I best grant domain admin-level rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do