Adding forest "B" enterprise admin to Forest "A" Enterprise admins group in two way transitive trust

We are in the midst of migrating all of our users and machines to a new forest and domain.  It will be  a slow transition, so the idea is to build a two way transitive trust between the two forests (already done).  Then add the enterprise admins from the new forest to the old forest's enterprise admins group.  We'd like to just sign on as the new enterprise/domain admin and have it have the same permissions that the existing domain admin does.  This is a simple one domain per forest set up.

I can not seem to allow members from the new forest to the old forest's groups.  The "Entire Location" tree when selecting a new group member's location only shows the old domain. I am able to add the new forest members to computer's ACLs, but I'd rather just have the new forest admin log in as a member of the existing group.  

The new forest is a 2008 functional level and the old is 2003.

Is this possible?  what am i missing?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Most lkely you need to double check the group scope.

You can only add users from another domain to a domain local group, not a Global group.

Then you can give rights to this new domain local group the rights it needs for the migration.

Good Luck,

funehmonAuthor Commented:
I was able to add to a local domain group, but it will not resolve when i try to add it to a universal or global security group
this should help you a little bit - Dooleydog is on the right track i beleive
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

funehmonAuthor Commented:
Right, so a domain local group can contain my other forest's admins, but i can not in turn add that new domain local group to the "Enterprise Admins" builtin group.  I know i can go to each resource in the old forest and give the new forest's admins permissions, but what a pain.

I just want to add forest B enterprise admins to Forest A (old forest) enterprise admins.  So when i log in with the new forest's enterprise admin credentials on a Forest B machine, i have admin rights.

create a universal group, and use that puppy for assigning around the place...they make life much more pleasant
funehmonAuthor Commented:
Still not a solution.  The domain local group that iI created on the new domain that contains the admins of forest A is not able to be a member of a Universal Group.

I just think I'm hosed!
lol you didnt read the link did ya :)

you cant add a domain local group to a universal group.

create a global group. Add your accounts to it. Add that global group to a universal group

on the remote domain, use that group for NTFS permissions etc OR add that universal group to the domain local group (or create a new domain local and add to that :) )

Confused? we are supposed to be :)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
funehmonAuthor Commented:

I did read it, and just tried what you recommended. I do appreciate your help, and I promise i'm not trying to make this too hard.

This is what i just tried.  On my new Domain in a new forest, i created a global group with it's domain's administrator in it. I then added that to a new Universal group.

On the old domain in the old forest, i added the new universal group (from the other domain/forest) to the "Administrators" domain local group.  

This worked.  However this does not provide the solution, that members of the new Universal group (now am meber of the old domain's "Administrator domain-local group) have unrestricted access on any machine throughout the old forest. Yes, i can go to each resource and grant privliges to it, but that sucks.  I already have "OldDomain\Domain Admins" strung across the domain as having full access, why should i have to go to each box and add the priliges to the new admin group?

The reason this gets more difficult, is that we have a lot of services that run with administrator rights, and going around and making sure that every place that service touches has the right access would be very difficult.

I just want the new domain/forest Domain admins to be a member of the old domain/forest Domain admins group.  This way all of my permissions are the same across the board.

Thanks and sorry for being a pain.

you arent being a pain brother, and i apologise if my wording made you sound like you most certainly arent and we are here for exactly this sort of thing - so again, i apologise :)

the trick to it is to get domain admin membership, rather than administrators (domain local) its a royal prick of a task at times....and its a lot of nesting within nesting :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.