Trusts

L

LarryP

I have a Windows 2000 domain running AD and a NT40 domain.

As the Windows 2000 domain, I want to be able to trust
only one user from the NT40 domain and add him to the
Domain Admins group on the Windows 2000 domain.

On the NT40 domain I added the 2000 domain as a TrustING
domain. And on the Windows 2000 domain I added the NT40
domain under TRUSTED domain.

When I got to the Windows 2000 domain (AD users and
Computers), I am able to add the user to the Builtin
Administrators group, however when I go to the properties
of Domain Admins under USERS, I am unable to see my NT40
Domain to add the NT40user. Why?
 
J

Joe Richards [MVP]

You can't only trust one user, once you establish the trust it applies to the
entire domain, anything that isn't properly secured (i.e. anything that doesn't
have a specific group for it instead of everyone or authenticated users, etc)
will be open to everyone in that domain.

Also Domain Users is a global group. A global group can only have users from the
domain the group exists in. I.E. If I have a domain called DomX, I can only put
users from DomX into Domx\Domain Admins.

The way you need to do this is set up the user with a userid in the 2K domain.
Being a domain admin, that user should easily be able to understand how to use
that ID without a trust.

joe
 
G

Guest

I use an application on the NT40 domain that needs Domain
admin rights. This same user on the NT40 domain (we'll
call it ADMIN01) needs domain admin rights on the WIndows
2000 domain. I cannot set up another user cause the
application can only use one main domain admin account.

Is this possible?
 
L

LarryP

I use an application on the NT40 domain that needs Domain
admin rights. This same user on the NT40 domain (we'll
call it ADMIN01) needs domain admin rights on the WIndows
2000 domain. I cannot set up another user cause the
application can only use one main domain admin account.

Is this possible?
 
J

Joe Richards [MVP]

The NT4 user will never be a domain admin on the 2K domain, it is an
impossibility, the closest you could get would be to create an ID on the 2K
system that has the same password and hope for the best.

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

trust between nt40 & 2000 1
Server Operator Group Equivelant in AD 1
win 2000 / 2003 ad problem 1
SOS - Rename remote hosts domain 1
Multiple Access Denied 11
Active Directory Problem 2
Win2k and WinNT domain trust issue 1
AD domain management 5

Top