One domain admin for multiple domains

[Richard J Pollock Jr]

I have two separate domains. I was wondering if there was a way to have my
domain admins from one domain be able to admin the other domain. I tried
adding the user I want to be able to admin to the domain admins group of the
other domain, but it cant add them.

Thanks

 

[Laura E. Hunter \(MVP\)]

If the two domains are in the same forest, you can add the appropriate users
to the "Enterprise Admins" group, which has administrative authority over
every domain in the forest.

 

[Richard J Pollock Jr]

What if they are separate forests? Is there any way to admin the domain
admins group to each of the domains?

Rick

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, <"Laura E. Hunter \(MVP

If the two domains are in the same forest, you can add the appropriate users
to the "Enterprise Admins" group, which has administrative authority over
every domain in the forest.

Not a great idea. Membership in the Enterprise Admins group should be
tightly controlled. Using Enterprise Admins to allow a group of users
from one domain to administer another domain in the same forest is a
really, really bad idea. Better to simply add the group from the first
domain to Domain Admins in the second domain.

Having said that, from the OP it would appear that these are two
separate domains, in which case, setting up a trust relationship is the
solution.

 

[Richard J Pollock Jr]

I have trusts in place and I can verify they are active in both in working
condition. Heres what i want to accomplish: If I login to my PC as a domain
admin, I want to be able to type in \\192.168.0.1\c$ (which is on the other
domain) and I dont have to enter another username and password. Right now,
this doesnt work.

I cant add the domain admins from the other domain to this domain. Only the
current local users show up. I guess thats how its supposed to work?

 

[Laura E. Hunter \(MVP\)]

Paul's assertion is absolutely correct...sorry, hit 'Send' before I typed my
"Enterprise Admins is a big bad scary needs-to-be-well-controlled group"
disclaimer.

If you're dealing with 2 separate forests, then you can create a trust
relationship between them and add DOMAIN1\Domain Admins to the
DOMAIN2\Domain Admins group, and/or vice versa.

The forest container is a security boundary in both 2000 and 2003 though, so
this scenario would certainly require a trust relationship to work the way
you're describing.

 

[Richard J Pollock Jr]

I have a trust relationship between the two domain already. When I go to add
the domain admins to the other domain, they other domain doesnt show up in
the list of domains to choose from.

Someone said that you can only add local users/groups to global groups???

Paul's assertion is absolutely correct...sorry, hit 'Send' before I typed my
"Enterprise Admins is a big bad scary needs-to-be-well-controlled group"
disclaimer.

If you're dealing with 2 separate forests, then you can create a trust
relationship between them and add DOMAIN1\Domain Admins to the
DOMAIN2\Domain Admins group, and/or vice versa.

The forest container is a security boundary in both 2000 and 2003 though, so
this scenario would certainly require a trust relationship to work the way
you're describing.

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, Richard J Pollock Jr

I cant add the domain admins from the other domain to this domain. Only the
current local users show up. I guess thats how its supposed to work?

Assume that you've got two domains, DomainA and DomainB and you want
Domain Admins from DomainA to be able to administer DomainB:

1. You need to have DomainB trust DomainA.
2. When adding the Domain Admins group from DomainA to the Domain Admins
group in DomainB, you need to either type DomainA\Domain Admins in the
box, or make sure that your location picker is pointing to DomainA.

Of course, by default when you're looking at the membership for DomainB,
only DomainB users and groups will show up.

 

[Laura E. Hunter \(MVP\)]

It depends on the functionality level you're running at.

Groups in domains set to the Windows 2000 native functional level (or
better), or distribution groups in domains set to the Windows 2000 mixed
functional level can have the following members:


a.. Groups with universal scope can have the following members: accounts,
computer accounts, other groups with universal scope, and groups with global
scope from any domain.
b.. Groups with global scope can have the following members: accounts from
the same domain and other groups with global scope from the same domain.
c.. Groups with domain local scope can have the following members:
accounts, groups with universal scope, and groups with global scope, all
from any domain. This group can also have as members other groups with
domain local scope from within the same domain.
Security groups in domains set to the Windows 2000 mixed functional level
are restricted to the following types of membership:


a.. Groups with global scope can have as their members only accounts.
b.. Groups with domain local scope can have as their members other groups
with global scope and accounts.
Security groups with universal scope cannot be created in domains with the
domain functional level set to Windows 2000 mixed because universal scope is
supported only in domains where the domain functional level is set to
Windows 2000 native or Windows Server 2003.


--
******************************
Laura E. Hunter - MCSE, MCT, MVP
Replies to newsgroup only

I have a trust relationship between the two domain already. When I go to
add
the domain admins to the other domain, they other domain doesnt show up in
the list of domains to choose from.

Someone said that you can only add local users/groups to global groups???

 

[Steven L Umbach]

Domain admins is a global group which can only contain members from the same domain.
Try adding them to the "administrators" group in the other domain. The main
difference is that the domain admins group is included in the local administrators
group on every non domain controller computer in the domain while the administrators
group is not. --- Steve