Sign in with
Sign up | Sign in
Your question

Adding user to Child Domain Group

Last response: in Windows 2000/NT
Share
November 24, 2004 6:26:45 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,
1 AD 2003 Forest
1 AD 2003 Child Domain in Forest

I'm trying to add my user account from the parent domain into the Domain
Admins group in the Child Domain but can't. The only option I have is to add
a Contact or Other Object. Users, Groups..etc are not an option. I can,
however, add my user id to the Builtin\Administrators group in the Child
Domain. I would like to administer both domains from one account. What do I
do here?

Thanks,
Tony
Anonymous
November 24, 2004 8:45:56 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Tony-

The issue here is group scope. Domain Admins is a global group,
Administrators is a Domain Local group. Adding yourself ot the domain
"Administrators" group gives you almost full control - enough to do most day
to day tasks. Others will require a seperate account.

The reason here is that a global group is exposed to any domain that the
group's parent trusts. In an AD forest, you have implicit trust, but, think
of a situation where child.company.com trusts an external domain
widgets.com. Widgets.com has no idea about the company.com domain where
your account is. Thus, when it sees a group containing users from domains
other than child.company.com it has no way to resolve them.



--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

Http://www.briandesmond.com


"Tony" <tony@spamthis.org> wrote in message
news:udY3a0n0EHA.3468@TK2MSFTNGP14.phx.gbl...
> Hello,
> 1 AD 2003 Forest
> 1 AD 2003 Child Domain in Forest
>
> I'm trying to add my user account from the parent domain into the Domain
> Admins group in the Child Domain but can't. The only option I have is to
add
> a Contact or Other Object. Users, Groups..etc are not an option. I can,
> however, add my user id to the Builtin\Administrators group in the Child
> Domain. I would like to administer both domains from one account. What do
I
> do here?
>
> Thanks,
> Tony
>
>
November 24, 2004 8:45:57 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Brian,

Ok, I see your point. My problem was that I'm trying to administer
workstations in that domain but can't. What I could do though is create a
batch job that adds the Parent\Domain Admins group to the local ADmin group
on the PC's?

Cheers,
Tony

"Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
news:o jNp4%23n0EHA.1392@TK2MSFTNGP14.phx.gbl...
> Tony-
>
> The issue here is group scope. Domain Admins is a global group,
> Administrators is a Domain Local group. Adding yourself ot the domain
> "Administrators" group gives you almost full control - enough to do most
> day
> to day tasks. Others will require a seperate account.
>
> The reason here is that a global group is exposed to any domain that the
> group's parent trusts. In an AD forest, you have implicit trust, but,
> think
> of a situation where child.company.com trusts an external domain
> widgets.com. Widgets.com has no idea about the company.com domain where
> your account is. Thus, when it sees a group containing users from domains
> other than child.company.com it has no way to resolve them.
>
>
>
> --
> --
> Brian Desmond
> Windows Server MVP
> desmondb@payton.cps.k12.il.us
>
> Http://www.briandesmond.com
>
>
> "Tony" <tony@spamthis.org> wrote in message
> news:udY3a0n0EHA.3468@TK2MSFTNGP14.phx.gbl...
>> Hello,
>> 1 AD 2003 Forest
>> 1 AD 2003 Child Domain in Forest
>>
>> I'm trying to add my user account from the parent domain into the Domain
>> Admins group in the Child Domain but can't. The only option I have is to
> add
>> a Contact or Other Object. Users, Groups..etc are not an option. I can,
>> however, add my user id to the Builtin\Administrators group in the Child
>> Domain. I would like to administer both domains from one account. What do
> I
>> do here?
>>
>> Thanks,
>> Tony
>>
>>
>
>
Related resources
Anonymous
November 24, 2004 9:16:31 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Tony" <tony@spamthis.org> wrote in message
news:udY3a0n0EHA.3468@TK2MSFTNGP14.phx.gbl...
> Hello,
> 1 AD 2003 Forest
> 1 AD 2003 Child Domain in Forest
>
> I'm trying to add my user account from the parent domain into the Domain
> Admins group in the Child Domain but can't.

Domain Admins is a GLOBAL Group.

Global Groups can ONLY contain users from the same
domain (as the Global Group.)

> The only option I have is to add
> a Contact or Other Object. Users, Groups..etc are not an option. I can,
> however, add my user id to the Builtin\Administrators group in the Child
> Domain. I would like to administer both domains from one account. What do
I
> do here?

Put the user (your account) in a Global Group on the source
domain (it's a good practice) and put that group in the
Administrators group (a Local group) of the target.

Local groups can contain Users and Global/Universal groups from
the same or any trusted domain.

--
Herb Martin


>
> Thanks,
> Tony
>
>
Anonymous
November 25, 2004 6:56:22 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes this would work.

--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

Http://www.briandesmond.com


"Tony" <tony@spamthis.org> wrote in message
news:o $vvuIo0EHA.2788@TK2MSFTNGP15.phx.gbl...
> Hi Brian,
>
> Ok, I see your point. My problem was that I'm trying to administer
> workstations in that domain but can't. What I could do though is create a
> batch job that adds the Parent\Domain Admins group to the local ADmin
group
> on the PC's?
>
> Cheers,
> Tony
>
> "Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
> news:o jNp4%23n0EHA.1392@TK2MSFTNGP14.phx.gbl...
> > Tony-
> >
> > The issue here is group scope. Domain Admins is a global group,
> > Administrators is a Domain Local group. Adding yourself ot the domain
> > "Administrators" group gives you almost full control - enough to do most
> > day
> > to day tasks. Others will require a seperate account.
> >
> > The reason here is that a global group is exposed to any domain that the
> > group's parent trusts. In an AD forest, you have implicit trust, but,
> > think
> > of a situation where child.company.com trusts an external domain
> > widgets.com. Widgets.com has no idea about the company.com domain where
> > your account is. Thus, when it sees a group containing users from
domains
> > other than child.company.com it has no way to resolve them.
> >
> >
> >
> > --
> > --
> > Brian Desmond
> > Windows Server MVP
> > desmondb@payton.cps.k12.il.us
> >
> > Http://www.briandesmond.com
> >
> >
> > "Tony" <tony@spamthis.org> wrote in message
> > news:udY3a0n0EHA.3468@TK2MSFTNGP14.phx.gbl...
> >> Hello,
> >> 1 AD 2003 Forest
> >> 1 AD 2003 Child Domain in Forest
> >>
> >> I'm trying to add my user account from the parent domain into the
Domain
> >> Admins group in the Child Domain but can't. The only option I have is
to
> > add
> >> a Contact or Other Object. Users, Groups..etc are not an option. I can,
> >> however, add my user id to the Builtin\Administrators group in the
Child
> >> Domain. I would like to administer both domains from one account. What
do
> > I
> >> do here?
> >>
> >> Thanks,
> >> Tony
> >>
> >>
> >
> >
>
>
!