Hi friends.

I am confused and frustrated. Need your help.

I have a parent domain in mix mode. I have added a child domain, it is in
native mode.

I am trying to add a user in parent domain to the "domain admin" group in
the child domain. The thing I am trying to achieve is that the IT users in
parent domain are domain admins and they should also have domain admin
permissions to the child domain.

Can you please help me. It is very very confusing. Appreciate your help.

Thanks
IK

add them to the enterprise admin group and they will have admin rights in
parent domain as well in the child domain in the same forest

--
HTH

Paul McGuire



<(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Hi friends.
>
> I am confused and frustrated. Need your help.
>
> I have a parent domain in mix mode. I have added a child domain, it is in
> native mode.
>
> I am trying to add a user in parent domain to the "domain admin" group in
> the child domain. The thing I am trying to achieve is that the IT users in
> parent domain are domain admins and they should also have domain admin
> permissions to the child domain.
>
> Can you please help me. It is very very confusing. Appreciate your help.
>
> Thanks
> IK
>
>

Hello,

Thank you for your post.

Domain Admins is a global group and its members cannot be user accounts or
global groups from other domains. This is why we cannot add a parent domain
user to the child domain's Domain Admins group. Instead, we add the parent
domain's user to the child domain's Administrators domain local group in
the "Builtin" container.

For more information, please refer to:

326265 Description of the Group Scopes That You Can Use to Help Secure
Active
http://support.microsoft.com/?id=326265

I hope the above information helps. Thanks, and have a great day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|From: "Paul McGuire" <paulmcguire@_nospam_hotmail.com>
|References: <(E-Mail Removed)>
|Subject: Re: Adding a user to to the Domain Admin Group of a child domain.
|Date: Mon, 8 Dec 2003 22:44:11 -0600
|Lines: 31
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <(E-Mail Removed)>
|Newsgroups: microsoft.public.win2000.active_directory
|NNTP-Posting-Host: nts-9.135-167-216.nts-online.net 216.167.135.9
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
.phx.gbl!tk2msftngp13.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:58677
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|add them to the enterprise admin group and they will have admin rights in
|parent domain as well in the child domain in the same forest
|
|--
|HTH
|
|Paul McGuire
|
|
|
|<(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
|> Hi friends.
|>
|> I am confused and frustrated. Need your help.
|>
|> I have a parent domain in mix mode. I have added a child domain, it is in
|> native mode.
|>
|> I am trying to add a user in parent domain to the "domain admin" group in
|> the child domain. The thing I am trying to achieve is that the IT users
in
|> parent domain are domain admins and they should also have domain admin
|> permissions to the child domain.
|>
|> Can you please help me. It is very very confusing. Appreciate your help.
|>
|> Thanks
|> IK
|>
|>
|
|
|

Thanks Joe for your reply. It was helpful.

The other problem is how can I get them rigths on the machines part of the
child domain. Normally Domain Admin by default is part of Local
Administrators group. Any good ideas?

Thanks
IK


"Joe Wu [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> Thank you for your post.
>
> Domain Admins is a global group and its members cannot be user accounts or
> global groups from other domains. This is why we cannot add a parent
domain
> user to the child domain's Domain Admins group. Instead, we add the parent
> domain's user to the child domain's Administrators domain local group in
> the "Builtin" container.
>
> For more information, please refer to:
>
> 326265 Description of the Group Scopes That You Can Use to Help Secure
> Active
> http://support.microsoft.com/?id=326265
>
> I hope the above information helps. Thanks, and have a great day!
>
> Regards,
> Joe Wu
> Product Support Services
> Microsoft Corporation
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> --------------------
> |From: "Paul McGuire" <paulmcguire@_nospam_hotmail.com>
> |References: <(E-Mail Removed)>
> |Subject: Re: Adding a user to to the Domain Admin Group of a child
domain.
> |Date: Mon, 8 Dec 2003 22:44:11 -0600
> |Lines: 31
> |X-Priority: 3
> |X-MSMail-Priority: Normal
> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> |X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> |Message-ID: <(E-Mail Removed)>
> |Newsgroups: microsoft.public.win2000.active_directory
> |NNTP-Posting-Host: nts-9.135-167-216.nts-online.net 216.167.135.9
> |Path:
>
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
> phx.gbl!tk2msftngp13.phx.gbl
> |Xref: cpmsftngxa07.phx.gbl
microsoft.public.win2000.active_directory:58677
> |X-Tomcat-NG: microsoft.public.win2000.active_directory
> |
> |add them to the enterprise admin group and they will have admin rights in
> |parent domain as well in the child domain in the same forest
> |
> |--
> |HTH
> |
> |Paul McGuire
> |
> |
> |
> |<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> |> Hi friends.
> |>
> |> I am confused and frustrated. Need your help.
> |>
> |> I have a parent domain in mix mode. I have added a child domain, it is
in
> |> native mode.
> |>
> |> I am trying to add a user in parent domain to the "domain admin" group
in
> |> the child domain. The thing I am trying to achieve is that the IT users
> in
> |> parent domain are domain admins and they should also have domain admin
> |> permissions to the child domain.
> |>
> |> Can you please help me. It is very very confusing. Appreciate your
help.
> |>
> |> Thanks
> |> IK
> |>
> |>
> |
> |
> |
>

Hello,

Thank you for your prompt response.

You are asking a very good question. To do so, we can add the following
command to add a user (from the parent domain) to the local Administrators
group:

net localgroup administrators DoaminName/UserName /add

For example, we can configure Startup Script (Computer
Configuration\Windows Settings\Scripts (Startup/Shutdown)) in Default
Domain Policy.

This method worked well in my test machines.

Please let me know if anything is unclear. Thanks and have a nice day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Reply-To: <(E-Mail Removed)>
|From: <(E-Mail Removed)>
|References: <(E-Mail Removed)>
<(E-Mail Removed)>
<(E-Mail Removed)>
|Subject: Re: Adding a user to to the Domain Admin Group of a child domain.
|Date: Tue, 9 Dec 2003 11:42:03 -0800
|Lines: 107
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <#(E-Mail Removed)>
|Newsgroups: microsoft.public.win2000.active_directory
|NNTP-Posting-Host: su-fw-01.palmsource.com 12.7.175.2
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP09.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:58790
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|Thanks Joe for your reply. It was helpful.
|
|The other problem is how can I get them rigths on the machines part of the
|child domain. Normally Domain Admin by default is part of Local
|Administrators group. Any good ideas?
|
|Thanks
|IK
|
|
|"Joe Wu [MSFT]" <(E-Mail Removed)> wrote in message
|news:(E-Mail Removed)...
|> Hello,
|>
|> Thank you for your post.
|>
|> Domain Admins is a global group and its members cannot be user accounts
or
|> global groups from other domains. This is why we cannot add a parent
|domain
|> user to the child domain's Domain Admins group. Instead, we add the
parent
|> domain's user to the child domain's Administrators domain local group in
|> the "Builtin" container.
|>
|> For more information, please refer to:
|>
|> 326265 Description of the Group Scopes That You Can Use to Help Secure
|> Active
|> http://support.microsoft.com/?id=326265
|>
|> I hope the above information helps. Thanks, and have a great day!
|>
|> Regards,
|> Joe Wu
|> Product Support Services
|> Microsoft Corporation
|>
|> Get Secure! - www.microsoft.com/security
|>
|> ====================================================
|> When responding to posts, please "Reply to Group" via your newsreader so
|> that others may learn and benefit from your issue.
|> ====================================================
|> This posting is provided "AS IS" with no warranties, and confers no
|rights.
|>
|> --------------------
|> |From: "Paul McGuire" <paulmcguire@_nospam_hotmail.com>
|> |References: <(E-Mail Removed)>
|> |Subject: Re: Adding a user to to the Domain Admin Group of a child
|domain.
|> |Date: Mon, 8 Dec 2003 22:44:11 -0600
|> |Lines: 31
|> |X-Priority: 3
|> |X-MSMail-Priority: Normal
|> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |Message-ID: <(E-Mail Removed)>
|> |Newsgroups: microsoft.public.win2000.active_directory
|> |NNTP-Posting-Host: nts-9.135-167-216.nts-online.net 216.167.135.9
|> |Path:
|>
|cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP0
8
|> phx.gbl!tk2msftngp13.phx.gbl
|> |Xref: cpmsftngxa07.phx.gbl
|microsoft.public.win2000.active_directory:58677
|> |X-Tomcat-NG: microsoft.public.win2000.active_directory
|> |
|> |add them to the enterprise admin group and they will have admin rights
in
|> |parent domain as well in the child domain in the same forest
|> |
|> |--
|> |HTH
|> |
|> |Paul McGuire
|> |
|> |
|> |
|> |<(E-Mail Removed)> wrote in message
|news:(E-Mail Removed)...
|> |> Hi friends.
|> |>
|> |> I am confused and frustrated. Need your help.
|> |>
|> |> I have a parent domain in mix mode. I have added a child domain, it is
|in
|> |> native mode.
|> |>
|> |> I am trying to add a user in parent domain to the "domain admin" group
|in
|> |> the child domain. The thing I am trying to achieve is that the IT
users
|> in
|> |> parent domain are domain admins and they should also have domain admin
|> |> permissions to the child domain.
|> |>
|> |> Can you please help me. It is very very confusing. Appreciate your
|help.
|> |>
|> |> Thanks
|> |> IK
|> |>
|> |>
|> |
|> |
|> |
|>
|
|
|