Solved

Add an account from a trusted domain to Domain Admins

Posted on 2008-06-23
15
2,086 Views
Last Modified: 2013-12-05
Our domain is trusting an exernal domain (not in the same forest) and we need to add an account from the external domain into the domain admins group of our domain.
I understand that the Domain Admins group is a global group so we cannot add accounts from other domains into it but I have seen several workarounds on the internet, but none of these seem to work in our situation.
I raised the functional level of our domain to Windows 2000 Native to enable the Universal groups but found that this didnt help either.

I tried creating a universal group and a domain local group, but I cannot add either of these to the Domain Admins group and only the Domain Local group lets me add accounts from the external trusted domain...

Any ideas on how to go about this?
0
Comment
Question by:pgowing
  • 7
  • 6
  • 2
15 Comments
 
LVL 15

Expert Comment

by:fishadr
Comment Utility
This has been covered before:

Domain Admins is a global group, which means that it can only contain users/groups from the same domain.

Create a universal group in DomainB (let's say DomainB\UniversalAdmins for reference), add DomainA\Domain Admins to DomainB\UniversalAdmins, then add DomainB\UniversalAdmins to DomainB\Domain Admins.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23053874.html
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
See the following article about group scopes
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Global groups can be added as members to Universal groups, but not the opposite direction.
To solve your problem, you can add the user into the Administrators group in the domain to give him administrative rights on the DCs (will not give him admin access on the other computers) or add him into the local Administrators group on a specific server or workstation.
0
 
LVL 1

Author Comment

by:pgowing
Comment Utility
Henjoh09, I tried that but it does not give the user account the access we need really as only the domain admin group is specified in various ACLs, not the Administrators group.

fishadr, I already tried that and it does not work because the two domains are not in the same forest, I thought I made that fairly clear in my original post but sorry if I did not.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
DomainAdmins is member of all Administrators-groups in the domain.
If you have set ACLs to grant DomainAdmins permissions instead of using other groups, I think you nead to redesign your permissions strategy.
0
 
LVL 1

Author Comment

by:pgowing
Comment Utility
Well which group would be more appropriate then? I thought the domain admins group's purpose was to allow administratrors to manage everything in the domain, which is why I have always added the Domain Admins group to all ACLs on our servers. Obviously we have user groups assigned to directories as well but I mean from an Admin side of things, why should I be using anything other than Domain Admins?
0
 
LVL 15

Assisted Solution

by:fishadr
fishadr earned 150 total points
Comment Utility
The domain is a security entity which is why you can only add users and groups from the local domain. Therefore you need to create another universal type Administrators group and then apply the permissions to the relevant resources, unfortunatley there is no way around it
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
Domain Admins is member of all local Administrators on each computer and have by that full control of all computers.
Use the local Administrators (or other builtin local group) for NTFS-permissions if you don't want to create your own custom AD-groups for resource management.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 1

Author Comment

by:pgowing
Comment Utility
OK I created a new Universal group in the hope that I could add the trusted external account to this and then assign this group to ACLs on our domain buttttt when I tried to add the user account to this group it couldnt be found, even when I select Entire Directory as the search location.

I created a global group and the same thing happened (as expected) but then I created a Domain Local group and found that this let me add the account from the other domain... which I dont understand?
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 250 total points
Comment Utility
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Universal groups can contain members from any domain in the same forest. As you're having an external trust, you can't use unviersal groups.
Global groups can contain members from the same domain as the group.
Domain local groups can contain members from any domain.
0
 
LVL 1

Author Comment

by:pgowing
Comment Utility
Oh... bit of a weird name for them then eh. Domain local, out of all the group scopes sounds like the one that would only allow you to add users from the same domain (and you would of thought global would allow inter-forest members, then Universal allow everything).

I have created a domain local group and added the external domain account to it, I'll add this group to the ACLs we need to be able to access and post up the results :)
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
The name of the group scopes is more the other side of the coin... Look on where you're using the groups instead of what members are added to them.
Domain local groups can contain member from other domains, but can only be used for permissions in the local domain.
Global groups can only contain members from the same domain, but can be used for permissions in any domain.
0
 
LVL 1

Author Comment

by:pgowing
Comment Utility
Yeah I see what you mean.
I've added the domain local group (with the external account in it) to the ACL of a directory here and got the user to log out and back in but they still cannot access that directory. I assume I may need to wait for replication or something?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
The group membership may nead to replicate between DCs.
The NTFS-permissions shall be set immediately when clicking ok/apply.
Use folder properties->Security->Advanced->Effective permissions to validate the user's permissions.
If the directory accessed through a network share, you may also nead to modify the share permissions.
0
 
LVL 1

Author Comment

by:pgowing
Comment Utility
Yeah the share permissions did not need modifying, but yeah I guess I will have to wait until tomorrow to see if its just not working yet due to replication.
Thanks
0
 
LVL 1

Author Comment

by:pgowing
Comment Utility
After replication all worked fine.

Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now