Adding user to Child Domain Group

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,
1 AD 2003 Forest
1 AD 2003 Child Domain in Forest

I'm trying to add my user account from the parent domain into the Domain
Admins group in the Child Domain but can't. The only option I have is to add
a Contact or Other Object. Users, Groups..etc are not an option. I can,
however, add my user id to the Builtin\Administrators group in the Child
Domain. I would like to administer both domains from one account. What do I
do here?

Thanks,
Tony
4 answers Last reply
More about adding user child domain group
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Tony-

    The issue here is group scope. Domain Admins is a global group,
    Administrators is a Domain Local group. Adding yourself ot the domain
    "Administrators" group gives you almost full control - enough to do most day
    to day tasks. Others will require a seperate account.

    The reason here is that a global group is exposed to any domain that the
    group's parent trusts. In an AD forest, you have implicit trust, but, think
    of a situation where child.company.com trusts an external domain
    widgets.com. Widgets.com has no idea about the company.com domain where
    your account is. Thus, when it sees a group containing users from domains
    other than child.company.com it has no way to resolve them.


    --
    --
    Brian Desmond
    Windows Server MVP
    desmondb@payton.cps.k12.il.us

    Http://www.briandesmond.com


    "Tony" <tony@spamthis.org> wrote in message
    news:udY3a0n0EHA.3468@TK2MSFTNGP14.phx.gbl...
    > Hello,
    > 1 AD 2003 Forest
    > 1 AD 2003 Child Domain in Forest
    >
    > I'm trying to add my user account from the parent domain into the Domain
    > Admins group in the Child Domain but can't. The only option I have is to
    add
    > a Contact or Other Object. Users, Groups..etc are not an option. I can,
    > however, add my user id to the Builtin\Administrators group in the Child
    > Domain. I would like to administer both domains from one account. What do
    I
    > do here?
    >
    > Thanks,
    > Tony
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Brian,

    Ok, I see your point. My problem was that I'm trying to administer
    workstations in that domain but can't. What I could do though is create a
    batch job that adds the Parent\Domain Admins group to the local ADmin group
    on the PC's?

    Cheers,
    Tony

    "Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
    news:OjNp4%23n0EHA.1392@TK2MSFTNGP14.phx.gbl...
    > Tony-
    >
    > The issue here is group scope. Domain Admins is a global group,
    > Administrators is a Domain Local group. Adding yourself ot the domain
    > "Administrators" group gives you almost full control - enough to do most
    > day
    > to day tasks. Others will require a seperate account.
    >
    > The reason here is that a global group is exposed to any domain that the
    > group's parent trusts. In an AD forest, you have implicit trust, but,
    > think
    > of a situation where child.company.com trusts an external domain
    > widgets.com. Widgets.com has no idea about the company.com domain where
    > your account is. Thus, when it sees a group containing users from domains
    > other than child.company.com it has no way to resolve them.
    >
    >
    >
    > --
    > --
    > Brian Desmond
    > Windows Server MVP
    > desmondb@payton.cps.k12.il.us
    >
    > Http://www.briandesmond.com
    >
    >
    > "Tony" <tony@spamthis.org> wrote in message
    > news:udY3a0n0EHA.3468@TK2MSFTNGP14.phx.gbl...
    >> Hello,
    >> 1 AD 2003 Forest
    >> 1 AD 2003 Child Domain in Forest
    >>
    >> I'm trying to add my user account from the parent domain into the Domain
    >> Admins group in the Child Domain but can't. The only option I have is to
    > add
    >> a Contact or Other Object. Users, Groups..etc are not an option. I can,
    >> however, add my user id to the Builtin\Administrators group in the Child
    >> Domain. I would like to administer both domains from one account. What do
    > I
    >> do here?
    >>
    >> Thanks,
    >> Tony
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Tony" <tony@spamthis.org> wrote in message
    news:udY3a0n0EHA.3468@TK2MSFTNGP14.phx.gbl...
    > Hello,
    > 1 AD 2003 Forest
    > 1 AD 2003 Child Domain in Forest
    >
    > I'm trying to add my user account from the parent domain into the Domain
    > Admins group in the Child Domain but can't.

    Domain Admins is a GLOBAL Group.

    Global Groups can ONLY contain users from the same
    domain (as the Global Group.)

    > The only option I have is to add
    > a Contact or Other Object. Users, Groups..etc are not an option. I can,
    > however, add my user id to the Builtin\Administrators group in the Child
    > Domain. I would like to administer both domains from one account. What do
    I
    > do here?

    Put the user (your account) in a Global Group on the source
    domain (it's a good practice) and put that group in the
    Administrators group (a Local group) of the target.

    Local groups can contain Users and Global/Universal groups from
    the same or any trusted domain.

    --
    Herb Martin


    >
    > Thanks,
    > Tony
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Yes this would work.

    --
    --
    Brian Desmond
    Windows Server MVP
    desmondb@payton.cps.k12.il.us

    Http://www.briandesmond.com


    "Tony" <tony@spamthis.org> wrote in message
    news:O$vvuIo0EHA.2788@TK2MSFTNGP15.phx.gbl...
    > Hi Brian,
    >
    > Ok, I see your point. My problem was that I'm trying to administer
    > workstations in that domain but can't. What I could do though is create a
    > batch job that adds the Parent\Domain Admins group to the local ADmin
    group
    > on the PC's?
    >
    > Cheers,
    > Tony
    >
    > "Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
    > news:OjNp4%23n0EHA.1392@TK2MSFTNGP14.phx.gbl...
    > > Tony-
    > >
    > > The issue here is group scope. Domain Admins is a global group,
    > > Administrators is a Domain Local group. Adding yourself ot the domain
    > > "Administrators" group gives you almost full control - enough to do most
    > > day
    > > to day tasks. Others will require a seperate account.
    > >
    > > The reason here is that a global group is exposed to any domain that the
    > > group's parent trusts. In an AD forest, you have implicit trust, but,
    > > think
    > > of a situation where child.company.com trusts an external domain
    > > widgets.com. Widgets.com has no idea about the company.com domain where
    > > your account is. Thus, when it sees a group containing users from
    domains
    > > other than child.company.com it has no way to resolve them.
    > >
    > >
    > >
    > > --
    > > --
    > > Brian Desmond
    > > Windows Server MVP
    > > desmondb@payton.cps.k12.il.us
    > >
    > > Http://www.briandesmond.com
    > >
    > >
    > > "Tony" <tony@spamthis.org> wrote in message
    > > news:udY3a0n0EHA.3468@TK2MSFTNGP14.phx.gbl...
    > >> Hello,
    > >> 1 AD 2003 Forest
    > >> 1 AD 2003 Child Domain in Forest
    > >>
    > >> I'm trying to add my user account from the parent domain into the
    Domain
    > >> Admins group in the Child Domain but can't. The only option I have is
    to
    > > add
    > >> a Contact or Other Object. Users, Groups..etc are not an option. I can,
    > >> however, add my user id to the Builtin\Administrators group in the
    Child
    > >> Domain. I would like to administer both domains from one account. What
    do
    > > I
    > >> do here?
    > >>
    > >> Thanks,
    > >> Tony
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Domain Microsoft Active Directory Windows