Solved

Add an account from a trusted domain to Domain Admins

Posted on 2008-06-23
15
2,206 Views
Last Modified: 2013-12-05
Our domain is trusting an exernal domain (not in the same forest) and we need to add an account from the external domain into the domain admins group of our domain.
I understand that the Domain Admins group is a global group so we cannot add accounts from other domains into it but I have seen several workarounds on the internet, but none of these seem to work in our situation.
I raised the functional level of our domain to Windows 2000 Native to enable the Universal groups but found that this didnt help either.

I tried creating a universal group and a domain local group, but I cannot add either of these to the Domain Admins group and only the Domain Local group lets me add accounts from the external trusted domain...

Any ideas on how to go about this?
0
Comment
Question by:pgowing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 15

Expert Comment

by:fishadr
ID: 21845153
This has been covered before:

Domain Admins is a global group, which means that it can only contain users/groups from the same domain.

Create a universal group in DomainB (let's say DomainB\UniversalAdmins for reference), add DomainA\Domain Admins to DomainB\UniversalAdmins, then add DomainB\UniversalAdmins to DomainB\Domain Admins.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23053874.html
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845373
See the following article about group scopes
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Global groups can be added as members to Universal groups, but not the opposite direction.
To solve your problem, you can add the user into the Administrators group in the domain to give him administrative rights on the DCs (will not give him admin access on the other computers) or add him into the local Administrators group on a specific server or workstation.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21845483
Henjoh09, I tried that but it does not give the user account the access we need really as only the domain admin group is specified in various ACLs, not the Administrators group.

fishadr, I already tried that and it does not work because the two domains are not in the same forest, I thought I made that fairly clear in my original post but sorry if I did not.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845640
DomainAdmins is member of all Administrators-groups in the domain.
If you have set ACLs to grant DomainAdmins permissions instead of using other groups, I think you nead to redesign your permissions strategy.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21845694
Well which group would be more appropriate then? I thought the domain admins group's purpose was to allow administratrors to manage everything in the domain, which is why I have always added the Domain Admins group to all ACLs on our servers. Obviously we have user groups assigned to directories as well but I mean from an Admin side of things, why should I be using anything other than Domain Admins?
0
 
LVL 15

Assisted Solution

by:fishadr
fishadr earned 150 total points
ID: 21845721
The domain is a security entity which is why you can only add users and groups from the local domain. Therefore you need to create another universal type Administrators group and then apply the permissions to the relevant resources, unfortunatley there is no way around it
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845896
Domain Admins is member of all local Administrators on each computer and have by that full control of all computers.
Use the local Administrators (or other builtin local group) for NTFS-permissions if you don't want to create your own custom AD-groups for resource management.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21846231
OK I created a new Universal group in the hope that I could add the trusted external account to this and then assign this group to ACLs on our domain buttttt when I tried to add the user account to this group it couldnt be found, even when I select Entire Directory as the search location.

I created a global group and the same thing happened (as expected) but then I created a Domain Local group and found that this let me add the account from the other domain... which I dont understand?
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 250 total points
ID: 21846633
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Universal groups can contain members from any domain in the same forest. As you're having an external trust, you can't use unviersal groups.
Global groups can contain members from the same domain as the group.
Domain local groups can contain members from any domain.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21846710
Oh... bit of a weird name for them then eh. Domain local, out of all the group scopes sounds like the one that would only allow you to add users from the same domain (and you would of thought global would allow inter-forest members, then Universal allow everything).

I have created a domain local group and added the external domain account to it, I'll add this group to the ACLs we need to be able to access and post up the results :)
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21846964
The name of the group scopes is more the other side of the coin... Look on where you're using the groups instead of what members are added to them.
Domain local groups can contain member from other domains, but can only be used for permissions in the local domain.
Global groups can only contain members from the same domain, but can be used for permissions in any domain.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21847078
Yeah I see what you mean.
I've added the domain local group (with the external account in it) to the ACL of a directory here and got the user to log out and back in but they still cannot access that directory. I assume I may need to wait for replication or something?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21847262
The group membership may nead to replicate between DCs.
The NTFS-permissions shall be set immediately when clicking ok/apply.
Use folder properties->Security->Advanced->Effective permissions to validate the user's permissions.
If the directory accessed through a network share, you may also nead to modify the share permissions.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21847292
Yeah the share permissions did not need modifying, but yeah I guess I will have to wait until tomorrow to see if its just not working yet due to replication.
Thanks
0
 
LVL 1

Author Comment

by:pgowing
ID: 23028455
After replication all worked fine.

Thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question