Subdomain Group Administratration

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Recently, I installed subdomain (x.y.local) and is there a way to add
"domain admin" from root domain (y.local) to "domain admin" subdomain. The
problem is all PCs join to x.y.local subdomain which only has x.y.local
subdomain "domain admin" in local administrator group. Even I logon to
subdomain PC with y.local root domain "domain domain/Enterprise admin" user
id which is administrator then I still would not have administrator
privilege to change computer name of subdomain PC. Please correct me if I
am wrong, subdomain "domain admin" group is global; therefore you only can
add user accounts/global groups in the domain so is there a way to add user
and group to subdomain "domain admin" from root domain. I will be
appreciated your tips or information.

Thank you in advance,

Johnny Chow

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Johnny Chow" <jchow10@yahoo.com> wrote in message
news:u8e3T1ZVFHA.3280@TK2MSFTNGP09.phx.gbl...
> Recently, I installed subdomain (x.y.local) and is there a way to add
> "domain admin" from root domain (y.local) to "domain admin" subdomain.

Sure, since there is an automatic trust in places you
can add the user or any Global group (Universals
groups too if the domains are in Native Mode.)


> The
> problem is all PCs join to x.y.local subdomain which only has x.y.local
> subdomain "domain admin" in local administrator group. Even I logon to
> subdomain PC with y.local root domain "domain domain/Enterprise admin"
user
> id which is administrator then I still would not have administrator
> privilege to change computer name of subdomain PC. Please correct me if
I
> am wrong, subdomain "domain admin" group is global;

Yes.

> therefore you only can
> add user accounts/global groups in the domain so is there a way to add
user
> and group to subdomain "domain admin" from root domain.

Yes.

> I will be
> appreciated your tips or information.

Unless your trusts are hosed, which will usually be a DNS
error.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You can not nest security principals from one domain in a global group in
another domain. Global groups can only have members from the local domain.

If you are large enough to have a multidomain forest, you should also be large
enough to segregate out your administration. I really wouldn't use domain admin
IDs for managing workstations. I would use an ID that is an administrator on
workstations. That way if you get onto a workstation with the ID and that
workstation is infected with something, you don't compromise your servers.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Johnny Chow wrote:
> Recently, I installed subdomain (x.y.local) and is there a way to add
> "domain admin" from root domain (y.local) to "domain admin" subdomain. The
> problem is all PCs join to x.y.local subdomain which only has x.y.local
> subdomain "domain admin" in local administrator group. Even I logon to
> subdomain PC with y.local root domain "domain domain/Enterprise admin" user
> id which is administrator then I still would not have administrator
> privilege to change computer name of subdomain PC. Please correct me if I
> am wrong, subdomain "domain admin" group is global; therefore you only can
> add user accounts/global groups in the domain so is there a way to add user
> and group to subdomain "domain admin" from root domain. I will be
> appreciated your tips or information.
>
> Thank you in advance,
>
> Johnny Chow
>
>