Sign in with
Sign up | Sign in
Your question

Child domain - Global group permissions

Last response: in Windows 2000/NT
Share
August 3, 2004 3:01:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I am having a problem assigning Domain Admin privileges in child domain. I
have normal user accounts in a parent domain that need Domain Admin
privileges in a child domain. Apparently by-design, this can't be done,
since the domain admins group is a global group.

Is there a work around or magic that will accomplish the same?

Rob
Anonymous
a b 8 Security
August 3, 2004 10:40:29 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Microsoft's recommendation for permission delegations is "AGDLP"

This means you put _A_ccount to _G_lobal Group. You should place Global
group to (Domain) _L_ocal group and assign permission to it...

To put it another way. Create new Domain Local group and add Global group
from other domain. Assign permissions to your resource using newly created
Domain Local group...

I hope this helps,

Mike

"Rob" <rob john@hmmausa.com> wrote in message
news:o xWtOMXeEHA.556@tk2msftngp13.phx.gbl...
> I am having a problem assigning Domain Admin privileges in child domain.
I
> have normal user accounts in a parent domain that need Domain Admin
> privileges in a child domain. Apparently by-design, this can't be done,
> since the domain admins group is a global group.
>
> Is there a work around or magic that will accomplish the same?
>
> Rob
>
>
!