Adding a user to to the Domain Admin Group of a child domain.

G

Guest

Hi friends.

I am confused and frustrated. Need your help.

I have a parent domain in mix mode. I have added a child domain, it is in
native mode.

I am trying to add a user in parent domain to the "domain admin" group in
the child domain. The thing I am trying to achieve is that the IT users in
parent domain are domain admins and they should also have domain admin
permissions to the child domain.

Can you please help me. It is very very confusing. Appreciate your help.

Thanks
IK
 
P

Paul McGuire

add them to the enterprise admin group and they will have admin rights in
parent domain as well in the child domain in the same forest
 
J

Joe Wu [MSFT]

Hello,

Thank you for your post.

Domain Admins is a global group and its members cannot be user accounts or
global groups from other domains. This is why we cannot add a parent domain
user to the child domain's Domain Admins group. Instead, we add the parent
domain's user to the child domain's Administrators domain local group in
the "Builtin" container.

For more information, please refer to:

326265 Description of the Group Scopes That You Can Use to Help Secure
Active
http://support.microsoft.com/?id=326265

I hope the above information helps. Thanks, and have a great day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|From: "Paul McGuire" <paulmcguire@_nospam_hotmail.com>
|References: <[email protected]>
|Subject: Re: Adding a user to to the Domain Admin Group of a child domain.
|Date: Mon, 8 Dec 2003 22:44:11 -0600
|Lines: 31
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <[email protected]>
|Newsgroups: microsoft.public.win2000.active_directory
|NNTP-Posting-Host: nts-9.135-167-216.nts-online.net 216.167.135.9
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
.phx.gbl!tk2msftngp13.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:58677
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|add them to the enterprise admin group and they will have admin rights in
|parent domain as well in the child domain in the same forest
|
|--
|HTH
|
|Paul McGuire
|
|
|
|> Hi friends.
|>
|> I am confused and frustrated. Need your help.
|>
|> I have a parent domain in mix mode. I have added a child domain, it is in
|> native mode.
|>
|> I am trying to add a user in parent domain to the "domain admin" group in
|> the child domain. The thing I am trying to achieve is that the IT users
in
|> parent domain are domain admins and they should also have domain admin
|> permissions to the child domain.
|>
|> Can you please help me. It is very very confusing. Appreciate your help.
|>
|> Thanks
|> IK
|>
|>
|
|
|
 
G

Guest

Thanks Joe for your reply. It was helpful.

The other problem is how can I get them rigths on the machines part of the
child domain. Normally Domain Admin by default is part of Local
Administrators group. Any good ideas?

Thanks
IK
 
J

Joe Wu [MSFT]

Hello,

Thank you for your prompt response.

You are asking a very good question. To do so, we can add the following
command to add a user (from the parent domain) to the local Administrators
group:

net localgroup administrators DoaminName/UserName /add

For example, we can configure Startup Script (Computer
Configuration\Windows Settings\Scripts (Startup/Shutdown)) in Default
Domain Policy.

This method worked well in my test machines.

Please let me know if anything is unclear. Thanks and have a nice day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Reply-To: <[email protected]>
|From: <[email protected]>
|References: <[email protected]>
<[email protected]>
<[email protected]>
|Subject: Re: Adding a user to to the Domain Admin Group of a child domain.
|Date: Tue, 9 Dec 2003 11:42:03 -0800
|Lines: 107
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <#[email protected]>
|Newsgroups: microsoft.public.win2000.active_directory
|NNTP-Posting-Host: su-fw-01.palmsource.com 12.7.175.2
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP09.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:58790
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|Thanks Joe for your reply. It was helpful.
|
|The other problem is how can I get them rigths on the machines part of the
|child domain. Normally Domain Admin by default is part of Local
|Administrators group. Any good ideas?
|
|Thanks
|IK
|
|
||> Hello,
|>
|> Thank you for your post.
|>
|> Domain Admins is a global group and its members cannot be user accounts
or
|> global groups from other domains. This is why we cannot add a parent
|domain
|> user to the child domain's Domain Admins group. Instead, we add the
parent
|> domain's user to the child domain's Administrators domain local group in
|> the "Builtin" container.
|>
|> For more information, please refer to:
|>
|> 326265 Description of the Group Scopes That You Can Use to Help Secure
|> Active
|> http://support.microsoft.com/?id=326265
|>
|> I hope the above information helps. Thanks, and have a great day!
|>
|> Regards,
|> Joe Wu
|> Product Support Services
|> Microsoft Corporation
|>
|> Get Secure! - www.microsoft.com/security
|>
|> ====================================================
|> When responding to posts, please "Reply to Group" via your newsreader so
|> that others may learn and benefit from your issue.
|> ====================================================
|> This posting is provided "AS IS" with no warranties, and confers no
|rights.
|>
|> --------------------
|> |From: "Paul McGuire" <paulmcguire@_nospam_hotmail.com>
|> |References: <[email protected]>
|> |Subject: Re: Adding a user to to the Domain Admin Group of a child
|domain.
|> |Date: Mon, 8 Dec 2003 22:44:11 -0600
|> |Lines: 31
|> |X-Priority: 3
|> |X-MSMail-Priority: Normal
|> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |Message-ID: <[email protected]>
|> |Newsgroups: microsoft.public.win2000.active_directory
|> |NNTP-Posting-Host: nts-9.135-167-216.nts-online.net 216.167.135.9
|> |Path:
|>
|cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP0
8
|> phx.gbl!tk2msftngp13.phx.gbl
|> |Xref: cpmsftngxa07.phx.gbl
|microsoft.public.win2000.active_directory:58677
|> |X-Tomcat-NG: microsoft.public.win2000.active_directory
|> |
|> |add them to the enterprise admin group and they will have admin rights
in
|> |parent domain as well in the child domain in the same forest
|> |
|> |--
|> |HTH
|> |
|> |Paul McGuire
|> |
|> |
|> |
||> |> Hi friends.
|> |>
|> |> I am confused and frustrated. Need your help.
|> |>
|> |> I have a parent domain in mix mode. I have added a child domain, it is
|in
|> |> native mode.
|> |>
|> |> I am trying to add a user in parent domain to the "domain admin" group
|in
|> |> the child domain. The thing I am trying to achieve is that the IT
users
|> in
|> |> parent domain are domain admins and they should also have domain admin
|> |> permissions to the child domain.
|> |>
|> |> Can you please help me. It is very very confusing. Appreciate your
|help.
|> |>
|> |> Thanks
|> |> IK
|> |>
|> |>
|> |
|> |
|> |
|>
|
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

child domain logging to parent domain 1
2003 Native Domain to 2008 Native Domain 5
domain admin group of parent domain is NOT a member domain admin g 4
Adding user to Child Domain Group 4
remove the last/only DC in a Child domain 2
Cannot add as child domain 1
Child Domains and GPO's 5
Strange membership issues 4

Top