Sign in with
Sign up | Sign in
Your question

External trust question

Last response: in Windows 2000/NT
Share
August 24, 2005 6:46:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi, All
I have successfully established a two-way external trust (2) separate
forest. (Win2003 Forest and Win2000 forest).

In addition I have added my domain admin account from the Win2003 Forest to
the local builtin administrator group on the Win2000 Forest however when I
try to access resources on the Win2000 forest while I am logged in to the
Win2003 Forest using my using my Win2003 domain admin account I get access
denied. ..
I guess my question is how can I have doamin admin access to all servers
within the Win2000 forest while logged in to the win2003 forest using my
Win2003 domain account..

Please advise..
Thanks
Darren
Anonymous
August 25, 2005 1:51:30 AM

Archived from groups: microsoft.public.win2000.security (More info?)

While the administrators group in a domain is all powerful in the domain it
does not automatically have access to all resources in the domain such as
domain computers. The domain admins group is by default in the local
administrators group of all domain computers but you can not add your
account to that group because it is a global group. You could create an
account in the other domain that is in the domain admins group in the other
domain and then logon as that account when you need admin access to
computers in the that domain or you can add you domain account to the local
administrators group of computers in that domain that you want to manage.
That could be automated with a Group Policy startup script using the net
local group command in a batch file or with Group Policy Restricted Groups
at the Organizational Unit level. --- Steve


"Darren" <Darren@somewhere.com> wrote in message
news:eHQyiwNqFHA.1024@TK2MSFTNGP09.phx.gbl...
> Hi, All
> I have successfully established a two-way external trust (2) separate
> forest. (Win2003 Forest and Win2000 forest).
>
> In addition I have added my domain admin account from the Win2003 Forest
> to the local builtin administrator group on the Win2000 Forest however
> when I try to access resources on the Win2000 forest while I am logged in
> to the Win2003 Forest using my using my Win2003 domain admin account I get
> access denied. ..
> I guess my question is how can I have doamin admin access to all servers
> within the Win2000 forest while logged in to the win2003 forest using my
> Win2003 domain account..
>
> Please advise..
> Thanks
> Darren
>
!