Domain Admin Access across Trusted domains

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Is there a way for me to have administrator rights on a domain that I trust
with my domain? I just merged with a company and have established an external
trust with their network. I am now incharge of all active directory for the
whole company and would like to be able to access their AD from my pc
directly.

Any help would be much appreciated.

Thanks
Dev
 
If your machine is in domain that trust them, then you
need an account in the trusted domain. If theirs is trusting
yours, then they could adjust membership of their Domain
Admins group to add your account (they cannot add your
Domain Admns group as it would be global in alien global)
 
The trust is a two way external trust. I can not add members from the trusted
domain to groups on my domain. I can only add access on the folder/file
level. How can I add myself to the domain admins group or even the enterprise
admins group? When I open the group and select add on the members tab, I can
not see my domain to add my account.

Any ideas?

Thanks
Dev
 
You may have a DNS issue.
If both domains are using Windows DNS and are W2k3 then
you could resolve this with conditional forwarding. Else,
you would need to establish secondary zones each in the
other domain so that both can resolved the AD supporting
DNS records of the other.

You should expect to not be able to add external groups into
your domain global groups. You should be able to see the
trusted domain in the list of locations in the user/group object
picker, and to then add from the external as long as you are
not attempting to next externals into your globals.
 
Roger --

I'll expand on "DevGD"'s post, if I may ...

We have a training domain in a separate forest, because we needed to not
have two-way transitive trusts between it and our production domain ... I
can add members of our production domain to Domain Local security group, but
not to Domain Glocal security groups on the training domain ... If I add our
users to a Domain Local security group, I can't add that Domain Local
security group to the Domain Global group "Domain Admins" ... We have
delegated any administrative task possible through Delegation, but that
doeds not allow us all admin rights, such as Group Policy administration ...
Anyone who can offer assistance in getting a domain user from a separate
domain and forest into the trusting domain's Domain Admins group would be
severely appreciated !!! I don't think it's possible, because I've tried
everything I can think of, but I could be wrong, and hope that I am ...
 
Joe Rookie said:
Roger --

I'll expand on "DevGD"'s post, if I may ...

We have a training domain in a separate forest, because we needed to not
have two-way transitive trusts between it and our production domain ... I
can add members of our production domain to Domain Local security group, but
not to Domain Glocal security groups on the training domain ... If I add our
users to a Domain Local security group, I can't add that Domain Local
security group to the Domain Global group "Domain Admins" ... We have
delegated any administrative task possible through Delegation, but that
doeds not allow us all admin rights, such as Group Policy administration ....
Anyone who can offer assistance in getting a domain user from a separate
domain and forest into the trusting domain's Domain Admins group would be
severely appreciated !!! I don't think it's possible, because I've tried
everything I can think of, but I could be wrong, and hope that I am ...
Click to expand...
Joe,

That is quite clearly described.
What you are experiencing if due to the fact that domain globals
are defined to consist only of objects of their domain.

Much, not all, can be conferred my making members of the
domain's local Administrators group, but yes, this is not the
same as making them members of Domain Admins.
 
Thanks, Roger ... This one has been killing me for awhile :-) ... I added
our admins to the Builtin Local Security group "Administrators" ...
Hopefully, this gives us what we need ... It was frustrating trying to
figure this out because we would go through the process, knowing which types
of groups can have what types of groups and users, and every time we thought
we had it, we figured out whay we couldn't :-) !!!
 
Back
Top