Problem: Permissions in AD

[Ken Belferman]

Greetings:

I've run into a bit of a problem. I'd like to grant Domain Admin users from
a parent domain admin privileges in a child domain, ideally using Group
Policy.

Using the AD Computer and Users management console, it appears that since
Domain Admins is a Global Group, I cannot add anyone to this group who is
outside the child domain, even though the users I want to add are in Domain
Admins in the parent domain.

Any suggestions appreciated.

Thanks in advance.



Ken B.

 

[Steven L Umbach]

You could add them to the administrators group for your domain in AD Users
and computers. That would not however give them admin powers on domain
computers. To do that you could use Restricted Groups - member of and add
the domain admins group from the parent domain to the administrators group
on domain computers. Restricted Groups is best used at the OU level to
enforce membership on domain computer local groups and the member of option
does not work right unless your computers are at Service Pack 4. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html --
description of how to use Restricted Groups.

 

[Ken Belferman]

Steve:

Thanks for the suggestion.

I tried using Restricted Groups and apparently the drawback is that when you
add a group it removes the others that were configured in the local Admins
group. I guess when it says "Restricted" they're not fooling around!

However, my problem appears to be solved. I found out I had to add subnets
of the parent domain to the firewall policy. After doing that and creating
a special admin group in AD consisting of users from the parent domain
everything worked okay.

Thanks again.


Ken B.