Ive got a little question involving Restricted Groups in a Multi-Domain Forest.
Currently there is (1) W2k Mixed Mode Domains (2) W2k Native Domains, and (1) W2k3 Domain in the forest. All of these domains are being migrated to 1 single parent domain&that being the W2k3 Domain.
Until that is done, I have created special Security Groups in each domain to allow access to the other domains. I do this because there are 3 companies in 17 location in 7 countries. There is a head administrator in each company, but we share responsibilities. For example, I have the awesome job of updating McAfee and Microsoft Patches on 2 of the 3 child companies as well as the new parent company that everyone is migrating to. I need full access in the member servers and DCs.
So I created 2 groups:
If a local Domain Admin, such as me, needs access to in other domains, that user is added to the GG_ParentCompany_ChildCompany group. That security group is a member of the UG_ParentCompany_ChildCompany which is the group that actually crosses the domains.
Its real easy when you think about it&if a domain admin in New Jersey needs access to servers in one of the sibling companies in another country&just add them to the GG_ParentCompany_ChildCompany group locally for their organization.
This cross-domain access works on member server in all of the sibling companies...just like we want it to&but the only Domain Controllers that users can logon to with their local domain accounts are in the new Parent Company W2k3 Domain.
childco\user can log on to ServerX in the domain named ParentDomain&both DCs and Member servers, but childco\user can only log on member servers in the SiblingDomain and not the DCs in the SiblingDomain.
Is this because of the schema types that are in place??? And is there a way to pull those Domain Admins over to sibling domains and allow them access without having to add the Security Groups from the sibling domains as local accounts on the Domain Controller servers?
Thanks a bunch,