Child domain - Global group permissions

R

Rob

I am having a problem assigning Domain Admin privileges in child domain. I
have normal user accounts in a parent domain that need Domain Admin
privileges in a child domain. Apparently by-design, this can't be done,
since the domain admins group is a global group.

Is there a work around or magic that will accomplish the same?

Rob
 
M

Miha Pihler

Microsoft's recommendation for permission delegations is "AGDLP"

This means you put _A_ccount to _G_lobal Group. You should place Global
group to (Domain) _L_ocal group and assign permission to it...

To put it another way. Create new Domain Local group and add Global group
from other domain. Assign permissions to your resource using newly created
Domain Local group...

I hope this helps,

Mike
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Should this work? - Folder permissions 1
Problem: Permissions in AD 2
Default domain permissions 4
"enterprise admins" member of local domain administrators ?! 2
DOMAIN SECURITY GROUP POLICY 3
Child/Parent Domain sanity Check 3
How to add child domain user in parent Domain admin group 2
Unable to login to child domain using GlobalAdmins (Enterprise Adm 2

Top