Solved

Add an account from a trusted domain to Domain Admins

Posted on 2008-06-23
15
2,143 Views
Last Modified: 2013-12-05
Our domain is trusting an exernal domain (not in the same forest) and we need to add an account from the external domain into the domain admins group of our domain.
I understand that the Domain Admins group is a global group so we cannot add accounts from other domains into it but I have seen several workarounds on the internet, but none of these seem to work in our situation.
I raised the functional level of our domain to Windows 2000 Native to enable the Universal groups but found that this didnt help either.

I tried creating a universal group and a domain local group, but I cannot add either of these to the Domain Admins group and only the Domain Local group lets me add accounts from the external trusted domain...

Any ideas on how to go about this?
0
Comment
Question by:pgowing
  • 7
  • 6
  • 2
15 Comments
 
LVL 15

Expert Comment

by:fishadr
ID: 21845153
This has been covered before:

Domain Admins is a global group, which means that it can only contain users/groups from the same domain.

Create a universal group in DomainB (let's say DomainB\UniversalAdmins for reference), add DomainA\Domain Admins to DomainB\UniversalAdmins, then add DomainB\UniversalAdmins to DomainB\Domain Admins.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23053874.html
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845373
See the following article about group scopes
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Global groups can be added as members to Universal groups, but not the opposite direction.
To solve your problem, you can add the user into the Administrators group in the domain to give him administrative rights on the DCs (will not give him admin access on the other computers) or add him into the local Administrators group on a specific server or workstation.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21845483
Henjoh09, I tried that but it does not give the user account the access we need really as only the domain admin group is specified in various ACLs, not the Administrators group.

fishadr, I already tried that and it does not work because the two domains are not in the same forest, I thought I made that fairly clear in my original post but sorry if I did not.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845640
DomainAdmins is member of all Administrators-groups in the domain.
If you have set ACLs to grant DomainAdmins permissions instead of using other groups, I think you nead to redesign your permissions strategy.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21845694
Well which group would be more appropriate then? I thought the domain admins group's purpose was to allow administratrors to manage everything in the domain, which is why I have always added the Domain Admins group to all ACLs on our servers. Obviously we have user groups assigned to directories as well but I mean from an Admin side of things, why should I be using anything other than Domain Admins?
0
 
LVL 15

Assisted Solution

by:fishadr
fishadr earned 150 total points
ID: 21845721
The domain is a security entity which is why you can only add users and groups from the local domain. Therefore you need to create another universal type Administrators group and then apply the permissions to the relevant resources, unfortunatley there is no way around it
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845896
Domain Admins is member of all local Administrators on each computer and have by that full control of all computers.
Use the local Administrators (or other builtin local group) for NTFS-permissions if you don't want to create your own custom AD-groups for resource management.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21846231
OK I created a new Universal group in the hope that I could add the trusted external account to this and then assign this group to ACLs on our domain buttttt when I tried to add the user account to this group it couldnt be found, even when I select Entire Directory as the search location.

I created a global group and the same thing happened (as expected) but then I created a Domain Local group and found that this let me add the account from the other domain... which I dont understand?
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 250 total points
ID: 21846633
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Universal groups can contain members from any domain in the same forest. As you're having an external trust, you can't use unviersal groups.
Global groups can contain members from the same domain as the group.
Domain local groups can contain members from any domain.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21846710
Oh... bit of a weird name for them then eh. Domain local, out of all the group scopes sounds like the one that would only allow you to add users from the same domain (and you would of thought global would allow inter-forest members, then Universal allow everything).

I have created a domain local group and added the external domain account to it, I'll add this group to the ACLs we need to be able to access and post up the results :)
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21846964
The name of the group scopes is more the other side of the coin... Look on where you're using the groups instead of what members are added to them.
Domain local groups can contain member from other domains, but can only be used for permissions in the local domain.
Global groups can only contain members from the same domain, but can be used for permissions in any domain.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21847078
Yeah I see what you mean.
I've added the domain local group (with the external account in it) to the ACL of a directory here and got the user to log out and back in but they still cannot access that directory. I assume I may need to wait for replication or something?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21847262
The group membership may nead to replicate between DCs.
The NTFS-permissions shall be set immediately when clicking ok/apply.
Use folder properties->Security->Advanced->Effective permissions to validate the user's permissions.
If the directory accessed through a network share, you may also nead to modify the share permissions.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21847292
Yeah the share permissions did not need modifying, but yeah I guess I will have to wait until tomorrow to see if its just not working yet due to replication.
Thanks
0
 
LVL 1

Author Comment

by:pgowing
ID: 23028455
After replication all worked fine.

Thanks
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question