Solved

Add an account from a trusted domain to Domain Admins

Posted on 2008-06-23
15
2,164 Views
Last Modified: 2013-12-05
Our domain is trusting an exernal domain (not in the same forest) and we need to add an account from the external domain into the domain admins group of our domain.
I understand that the Domain Admins group is a global group so we cannot add accounts from other domains into it but I have seen several workarounds on the internet, but none of these seem to work in our situation.
I raised the functional level of our domain to Windows 2000 Native to enable the Universal groups but found that this didnt help either.

I tried creating a universal group and a domain local group, but I cannot add either of these to the Domain Admins group and only the Domain Local group lets me add accounts from the external trusted domain...

Any ideas on how to go about this?
0
Comment
Question by:pgowing
  • 7
  • 6
  • 2
15 Comments
 
LVL 15

Expert Comment

by:fishadr
ID: 21845153
This has been covered before:

Domain Admins is a global group, which means that it can only contain users/groups from the same domain.

Create a universal group in DomainB (let's say DomainB\UniversalAdmins for reference), add DomainA\Domain Admins to DomainB\UniversalAdmins, then add DomainB\UniversalAdmins to DomainB\Domain Admins.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23053874.html
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845373
See the following article about group scopes
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Global groups can be added as members to Universal groups, but not the opposite direction.
To solve your problem, you can add the user into the Administrators group in the domain to give him administrative rights on the DCs (will not give him admin access on the other computers) or add him into the local Administrators group on a specific server or workstation.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21845483
Henjoh09, I tried that but it does not give the user account the access we need really as only the domain admin group is specified in various ACLs, not the Administrators group.

fishadr, I already tried that and it does not work because the two domains are not in the same forest, I thought I made that fairly clear in my original post but sorry if I did not.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845640
DomainAdmins is member of all Administrators-groups in the domain.
If you have set ACLs to grant DomainAdmins permissions instead of using other groups, I think you nead to redesign your permissions strategy.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21845694
Well which group would be more appropriate then? I thought the domain admins group's purpose was to allow administratrors to manage everything in the domain, which is why I have always added the Domain Admins group to all ACLs on our servers. Obviously we have user groups assigned to directories as well but I mean from an Admin side of things, why should I be using anything other than Domain Admins?
0
 
LVL 15

Assisted Solution

by:fishadr
fishadr earned 150 total points
ID: 21845721
The domain is a security entity which is why you can only add users and groups from the local domain. Therefore you need to create another universal type Administrators group and then apply the permissions to the relevant resources, unfortunatley there is no way around it
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845896
Domain Admins is member of all local Administrators on each computer and have by that full control of all computers.
Use the local Administrators (or other builtin local group) for NTFS-permissions if you don't want to create your own custom AD-groups for resource management.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21846231
OK I created a new Universal group in the hope that I could add the trusted external account to this and then assign this group to ACLs on our domain buttttt when I tried to add the user account to this group it couldnt be found, even when I select Entire Directory as the search location.

I created a global group and the same thing happened (as expected) but then I created a Domain Local group and found that this let me add the account from the other domain... which I dont understand?
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 250 total points
ID: 21846633
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Universal groups can contain members from any domain in the same forest. As you're having an external trust, you can't use unviersal groups.
Global groups can contain members from the same domain as the group.
Domain local groups can contain members from any domain.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21846710
Oh... bit of a weird name for them then eh. Domain local, out of all the group scopes sounds like the one that would only allow you to add users from the same domain (and you would of thought global would allow inter-forest members, then Universal allow everything).

I have created a domain local group and added the external domain account to it, I'll add this group to the ACLs we need to be able to access and post up the results :)
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21846964
The name of the group scopes is more the other side of the coin... Look on where you're using the groups instead of what members are added to them.
Domain local groups can contain member from other domains, but can only be used for permissions in the local domain.
Global groups can only contain members from the same domain, but can be used for permissions in any domain.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21847078
Yeah I see what you mean.
I've added the domain local group (with the external account in it) to the ACL of a directory here and got the user to log out and back in but they still cannot access that directory. I assume I may need to wait for replication or something?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21847262
The group membership may nead to replicate between DCs.
The NTFS-permissions shall be set immediately when clicking ok/apply.
Use folder properties->Security->Advanced->Effective permissions to validate the user's permissions.
If the directory accessed through a network share, you may also nead to modify the share permissions.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21847292
Yeah the share permissions did not need modifying, but yeah I guess I will have to wait until tomorrow to see if its just not working yet due to replication.
Thanks
0
 
LVL 1

Author Comment

by:pgowing
ID: 23028455
After replication all worked fine.

Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question