Adding forest "B" enterprise admin to Forest "A" Enterprise admins group in two way transitive trust

We are in the midst of migrating all of our users and machines to a new forest and domain.  It will be  a slow transition, so the idea is to build a two way transitive trust between the two forests (already done).  Then add the enterprise admins from the new forest to the old forest's enterprise admins group.  We'd like to just sign on as the new enterprise/domain admin and have it have the same permissions that the existing domain admin does.  This is a simple one domain per forest set up.

I can not seem to allow members from the new forest to the old forest's groups.  The "Entire Location" tree when selecting a new group member's location only shows the old domain. I am able to add the new forest members to computer's ACLs, but I'd rather just have the new forest admin log in as a member of the existing group.  

The new forest is a 2008 functional level and the old is 2003.

Is this possible?  what am i missing?

Thanks,
Sean
funehmonAsked:
Who is Participating?
 
Jay_Jay70Connect With a Mentor Commented:
lol you didnt read the link did ya :)

you cant add a domain local group to a universal group.

create a global group. Add your accounts to it. Add that global group to a universal group

on the remote domain, use that group for NTFS permissions etc OR add that universal group to the domain local group (or create a new domain local and add to that :) )

Confused? we are supposed to be :)

0
 
dooleydogCommented:
Most lkely you need to double check the group scope.

You can only add users from another domain to a domain local group, not a Global group.

Then you can give rights to this new domain local group the rights it needs for the migration.

Good Luck,

0
 
funehmonAuthor Commented:
I was able to add to a local domain group, but it will not resolve when i try to add it to a universal or global security group
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Jay_Jay70Commented:
this should help you a little bit - Dooleydog is on the right track i beleive
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
0
 
funehmonAuthor Commented:
Right, so a domain local group can contain my other forest's admins, but i can not in turn add that new domain local group to the "Enterprise Admins" builtin group.  I know i can go to each resource in the old forest and give the new forest's admins permissions, but what a pain.

I just want to add forest B enterprise admins to Forest A (old forest) enterprise admins.  So when i log in with the new forest's enterprise admin credentials on a Forest B machine, i have admin rights.

Thanks.
Sean
0
 
Jay_Jay70Commented:
create a universal group, and use that puppy for assigning around the place...they make life much more pleasant
0
 
funehmonAuthor Commented:
Still not a solution.  The domain local group that iI created on the new domain that contains the admins of forest A is not able to be a member of a Universal Group.

I just think I'm hosed!
0
 
funehmonAuthor Commented:
Jay,

I did read it, and just tried what you recommended. I do appreciate your help, and I promise i'm not trying to make this too hard.

This is what i just tried.  On my new Domain in a new forest, i created a global group with it's domain's administrator in it. I then added that to a new Universal group.

On the old domain in the old forest, i added the new universal group (from the other domain/forest) to the "Administrators" domain local group.  

This worked.  However this does not provide the solution, that members of the new Universal group (now am meber of the old domain's "Administrator domain-local group) have unrestricted access on any machine throughout the old forest. Yes, i can go to each resource and grant privliges to it, but that sucks.  I already have "OldDomain\Domain Admins" strung across the domain as having full access, why should i have to go to each box and add the priliges to the new admin group?

The reason this gets more difficult, is that we have a lot of services that run with administrator rights, and going around and making sure that every place that service touches has the right access would be very difficult.

I just want the new domain/forest Domain admins to be a member of the old domain/forest Domain admins group.  This way all of my permissions are the same across the board.

Thanks and sorry for being a pain.

Sean
0
 
Jay_Jay70Commented:
you arent being a pain brother, and i apologise if my wording made you sound like you were....you most certainly arent and we are here for exactly this sort of thing - so again, i apologise :)


the trick to it is to get domain admin membership, rather than administrators (domain local) its a royal prick of a task at times....and its a lot of nesting within nesting :)
0
All Courses

From novice to tech pro — start learning today.