Subdomain Group Administratration

J

Johnny Chow

Recently, I installed subdomain (x.y.local) and is there a way to add
"domain admin" from root domain (y.local) to "domain admin" subdomain. The
problem is all PCs join to x.y.local subdomain which only has x.y.local
subdomain "domain admin" in local administrator group. Even I logon to
subdomain PC with y.local root domain "domain domain/Enterprise admin" user
id which is administrator then I still would not have administrator
privilege to change computer name of subdomain PC. Please correct me if I
am wrong, subdomain "domain admin" group is global; therefore you only can
add user accounts/global groups in the domain so is there a way to add user
and group to subdomain "domain admin" from root domain. I will be
appreciated your tips or information.

Thank you in advance,

Johnny Chow
 
H

Herb Martin

Johnny Chow said:
Recently, I installed subdomain (x.y.local) and is there a way to add
"domain admin" from root domain (y.local) to "domain admin" subdomain.
Click to expand...

Sure, since there is an automatic trust in places you
can add the user or any Global group (Universals
groups too if the domains are in Native Mode.)

The
problem is all PCs join to x.y.local subdomain which only has x.y.local
subdomain "domain admin" in local administrator group. Even I logon to
subdomain PC with y.local root domain "domain domain/Enterprise admin" user
id which is administrator then I still would not have administrator
privilege to change computer name of subdomain PC. Please correct me if I
am wrong, subdomain "domain admin" group is global;
Yes.

therefore you only can
add user accounts/global groups in the domain so is there a way to add user
and group to subdomain "domain admin" from root domain.
Yes.

I will be
appreciated your tips or information.
Click to expand...

Unless your trusts are hosed, which will usually be a DNS
error.
 
J

Joe Richards [MVP]

You can not nest security principals from one domain in a global group in
another domain. Global groups can only have members from the local domain.

If you are large enough to have a multidomain forest, you should also be large
enough to segregate out your administration. I really wouldn't use domain admin
IDs for managing workstations. I would use an ID that is an administrator on
workstations. That way if you get onto a workstation with the ID and that
workstation is infected with something, you don't compromise your servers.

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Subdomain PC/server administration 2
Windows administration (subdomain model) 3
sub domain 4
subdomain group policy 3
join Windows2000 AD with Windows 2003 subdomain (during upgrade from NT4) 1
Access denied to workstation in subdomain 4
q Win2000 subdomain DC 1
Active Directory Replication Monitor can't open domaincontroller 7

Top