How to grant a global group the same access as domain admins.

I would like a group other than Domain Admins to have the same access as Domain Admins, such as full access to servers and workstations. Auditors want a list ot Domain Admins so i want as least people in there as possible.

ALSO

When you join a machine to the domain it automatically adds Domain Admins to the local Administrators group, can this be set to add another group also?

Thanks!
wreed420Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kinveachyCommented:
I would  create a new group and just make it a member of Domain Admins.  Then whoever you put in that new group will have the same access.
0
wreed420Author Commented:
That will not work, besides the only group or user i want in Domain Admins is my administrator account.
0
elbereth21Commented:
I would create a new group and make it a member of DomainName/Builtin/Administrators and maybe also of Enterprise Admins, though this might not be needed.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

_anom_Commented:
To also have certain groups added to the local administrators group on computers, you can use group policy.  This article explains the process well enough:

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html

Cheers
0
rafael_accCommented:
Configure your domain to run in native mode. Then you will be allowed to insert a group inside another one. Once you'eve done that, insert your global group into the Domain Admins group.

You might also to take a look at this article
http://windows.about.com/library/weekly/aa010506a.htm

If you go for native mode, make sure you don't have any DC running pre-Windows 2000 OS.

Cheers.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wreed420Author Commented:
Rafael good idea I will try it.
0
wreed420Author Commented:
Rafael do you know if you could go into ADSI and add the same permissions as Domain Admins in to the AD? i tried it but it does not seem to work administrating computers and servers, but they do have full access to edit the AD.
0
wreed420Author Commented:
Can you add a built in group to a gloabl group?
0
rafael_accCommented:
Any type of groups can be added to a global group, including another global group. However, groups nesting is allowed only when running the domain in native mode (at least this is what I remember now). Have you check the article I gave you. I think it's written there something about it! It must be!

ADSI is actual a programming interface (the Active Directory API). So what do you mean by "going into ADSI" ?


Cheers
0
wreed420Author Commented:
ADSIis the raw data of the active directory, where you can edit and delete object you cannot see otherwise. Anyway i defined security to a group on my domain in ADSIedit.

I would really like to add the Built-in administrators group of my domain to the domain admins, i tried and could not, you try and see if you have luck.

Thanks
0
rafael_accCommented:
I did it before. You can do it! Are u running in native mode?
0
wreed420Author Commented:
yes i am Windows 2003 Server native mode
0
rafael_accCommented:
How many DC you have?
0
wreed420Author Commented:
2 in the test domain and i using
0
wreed420Author Commented:
in the same site
0
wreed420Author Commented:
i added a global group to a global group but i am unable to add a built-in group to a global group
0
rafael_accCommented:
http://myitforum.techtarget.com/articles/11/view.asp?id=2457
Ok. I thought you were saying that you cannot add a global group to the local admin group.
Do you have multiple domains?
0
wreed420Author Commented:
i actually want to do exactly oppisite of the article you sent me.

yes i have 40+ domains in my enterprise
0
rafael_accCommented:
:S Daaaamn !!!

:) OK. That's nice. So you want to add a built-in group to a global group.... Well, you can add to a global group only users and groups from the same domain!!! If the built-in group is located in another domain ... there's still a solution ... but it's a bit dependent on the network design ... therefore might not be recomandable.

So ... let me know ... Is this built-in group located into another domain?!

0
wreed420Author Commented:
no i want to add the built-in administrators group of my TSB domain to the Domain Admins of my TSB domain.

All other domains i just trust and are root/data center/mainframe/client domains dont need to mess with those
0
wreed420Author Commented:
my Auditors look whose a member of Domain Admins, not Administrators. I am trying to be steakey to give my guys full access.
0
rafael_accCommented:
The problem is that the domain admins group is a domain local group. therefore, you just cannot add a global group to the domain local group. Have you tried the delegation wizard?

Try also the following:

The official Microsoft-sanctioned method for using groups in a domain setting is known
as the A-G-DL-P method.

(A) Take the user Account and place it in a
(G) Global group, then take the global group and place it into a
(DL) Domain Local group, after which you assign
(P) Permissions to the domain local group.

Of course, always following this method is not practical.  You have to use common sense and judgment when assigning groups to permissions.  The above is just an official Microsoft guideline.

0
rafael_accCommented:
"built-in administrators group of my TSB domain to the Domain Admins of my TSB domain"
"built-in administrators group" seems to me like a realy local group not a domain local group. So, this group would be located in any domain. Therefore you JUST CANNOT add a group/user outside the domain to the global group. It has to be from the same domain.]

Oh ... one more ... Are you talking here about the "adminstrators" LOCAL GRoup!!! Not the domain local group but LOCAL GROUP". because its a local group it doesn't seem to me possible as groups thake
0
rafael_accCommented:
keep in touch ... I'm a bit tired now ... but I think maybe i'm missing something here ... I just cannot think ... But I'm sure it can be done ...#
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.