Adding user to Child Domain Group

T

Tony

Hello,
1 AD 2003 Forest
1 AD 2003 Child Domain in Forest

I'm trying to add my user account from the parent domain into the Domain
Admins group in the Child Domain but can't. The only option I have is to add
a Contact or Other Object. Users, Groups..etc are not an option. I can,
however, add my user id to the Builtin\Administrators group in the Child
Domain. I would like to administer both domains from one account. What do I
do here?

Thanks,
Tony
 
B

Brian Desmond [MVP]

Tony-

The issue here is group scope. Domain Admins is a global group,
Administrators is a Domain Local group. Adding yourself ot the domain
"Administrators" group gives you almost full control - enough to do most day
to day tasks. Others will require a seperate account.

The reason here is that a global group is exposed to any domain that the
group's parent trusts. In an AD forest, you have implicit trust, but, think
of a situation where child.company.com trusts an external domain
widgets.com. Widgets.com has no idea about the company.com domain where
your account is. Thus, when it sees a group containing users from domains
other than child.company.com it has no way to resolve them.



--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com
 
T

Tony

Hi Brian,

Ok, I see your point. My problem was that I'm trying to administer
workstations in that domain but can't. What I could do though is create a
batch job that adds the Parent\Domain Admins group to the local ADmin group
on the PC's?

Cheers,
Tony
 
H

Herb Martin

Tony said:
Hello,
1 AD 2003 Forest
1 AD 2003 Child Domain in Forest

I'm trying to add my user account from the parent domain into the Domain
Admins group in the Child Domain but can't.
Click to expand...

Domain Admins is a GLOBAL Group.

Global Groups can ONLY contain users from the same
domain (as the Global Group.)
The only option I have is to add
a Contact or Other Object. Users, Groups..etc are not an option. I can,
however, add my user id to the Builtin\Administrators group in the Child
Domain. I would like to administer both domains from one account. What do I
do here?
Click to expand...

Put the user (your account) in a Global Group on the source
domain (it's a good practice) and put that group in the
Administrators group (a Local group) of the target.

Local groups can contain Users and Global/Universal groups from
the same or any trusted domain.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain consolidation and decommission child domain in ActiveDirectory Windows Server 2003 3
Child Domain Security 2
Migration Domain 3
enterprise admins in single domain question 6
child domain logging to parent domain 1
Strange membership issues 4
NetUserGetLocalGroups in multi-domain AD environment 2
merging a domain as a child domain for another domain 1

Top