Forest trust - Administrator rights

[bileduct]

Hey all,

Can anyone please tell me what administrative priviledges are automatically
available where two Windows 2003 Active Directory forests have been
connected via a trust?

I am currently evaluating a statement of work for one of my clients that
involves a two way trust relationship between a business managed forest and
a non-business managed forest. It is preferred that the administrative users
of the non-business managed forest do not have any administrative rights in
the business managed forest.

Is this achievable from the standard trust configuration or will I need to
strip out references to the non-business managed forest administrative
groups from administrative groups in the business managed forest?

Thankyou for any assistance.

 

[Debo]

Hey all,

Can anyone please tell me what administrative priviledges are automatically
available where two Windows 2003 Active Directory forests have been
connected via a trust?

I am currently evaluating a statement of work for one of my clients that
involves a two way trust relationship between a business managed forest and
a non-business managed forest. It is preferred that the administrative users
of the non-business managed forest do not have any administrative rights in
the business managed forest.

Is this achievable from the standard trust configuration or will I need to
strip out references to the non-business managed forest administrative
groups from administrative groups in the business managed forest?

Thankyou for any assistance.

What type of authentication are you going to configure for the trust?
Domain-wide or Selective? I believe that in either side you would need
to add the other side's administrative group in order to give them
admin rights. I hope that makes sense

 

[bileduct]

What type of authentication are you going to configure for the trust?
Domain-wide or Selective? I believe that in either side you would need
to add the other side's administrative group in order to give them
admin rights. I hope that makes sense

The scope of authentication has not been defined in the detailed design, but
I would assume Domain-Wide for simplification of administration.

I understand your point regarding adding functional security groups from the
trusted domain to the trusting domain, I was just unsure as to whether or
not privileged groups such as DHCP Admins or Domain Admins are automatically
added to their similar named groups in other domains when a trust is created
between two domains/forests.

To break it down to the real issue at hand, my company is concerned that
administrative users in the non-managed forest could modify user accounts or
reboot servers in the managed forest if there was simply a two-way (and
let's assumed Domain-Wide) trust established between the pair and no further
configuration.

From your response I understand that without adding the trusted domains
Domain Admins group to the trusting domain's Domain Admins group this could
not occur (assuming for a moment that only Domain Admins can perform those
tasks).

Have I understood you correctly?

Thankyou for your prompt response.

 

[Guest]

Yes you understood it correctly. You should explicitly add them to those
groups to get administrative privileges.

 

[bileduct]

Yes you understood it correctly. You should explicitly add them to those
groups to get administrative privileges.

Thanks mate, I appreciate your help.

 

[Jorge de Almeida Pinto [MVP - DS]]

no admin rights. by just creating a trust you are not giving admin
permissions

however, by using a trust the scope of authenticated users is expanded from
forest1 to forest2 and vice versa.

For example:
* in each domain authenticated users by default have the ability to add up
to 10 computers to the domain. A best practice is to change that by removing
authenticated users from that setting in the default domain controllers GPO
(security option)
* if you have assigned permissions to authenticated users, all users from
each domain in each forest can access that data.

You can use selective authentication, but you need to decide for yourself
what is required and what is not

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx