[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Add an account from a trusted domain to Domain Admins

Posted on 2008-06-23
15
Medium Priority
?
2,426 Views
Last Modified: 2013-12-05
Our domain is trusting an exernal domain (not in the same forest) and we need to add an account from the external domain into the domain admins group of our domain.
I understand that the Domain Admins group is a global group so we cannot add accounts from other domains into it but I have seen several workarounds on the internet, but none of these seem to work in our situation.
I raised the functional level of our domain to Windows 2000 Native to enable the Universal groups but found that this didnt help either.

I tried creating a universal group and a domain local group, but I cannot add either of these to the Domain Admins group and only the Domain Local group lets me add accounts from the external trusted domain...

Any ideas on how to go about this?
0
Comment
Question by:pgowing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 15

Expert Comment

by:fishadr
ID: 21845153
This has been covered before:

Domain Admins is a global group, which means that it can only contain users/groups from the same domain.

Create a universal group in DomainB (let's say DomainB\UniversalAdmins for reference), add DomainA\Domain Admins to DomainB\UniversalAdmins, then add DomainB\UniversalAdmins to DomainB\Domain Admins.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23053874.html
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845373
See the following article about group scopes
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Global groups can be added as members to Universal groups, but not the opposite direction.
To solve your problem, you can add the user into the Administrators group in the domain to give him administrative rights on the DCs (will not give him admin access on the other computers) or add him into the local Administrators group on a specific server or workstation.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21845483
Henjoh09, I tried that but it does not give the user account the access we need really as only the domain admin group is specified in various ACLs, not the Administrators group.

fishadr, I already tried that and it does not work because the two domains are not in the same forest, I thought I made that fairly clear in my original post but sorry if I did not.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845640
DomainAdmins is member of all Administrators-groups in the domain.
If you have set ACLs to grant DomainAdmins permissions instead of using other groups, I think you nead to redesign your permissions strategy.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21845694
Well which group would be more appropriate then? I thought the domain admins group's purpose was to allow administratrors to manage everything in the domain, which is why I have always added the Domain Admins group to all ACLs on our servers. Obviously we have user groups assigned to directories as well but I mean from an Admin side of things, why should I be using anything other than Domain Admins?
0
 
LVL 15

Assisted Solution

by:fishadr
fishadr earned 600 total points
ID: 21845721
The domain is a security entity which is why you can only add users and groups from the local domain. Therefore you need to create another universal type Administrators group and then apply the permissions to the relevant resources, unfortunatley there is no way around it
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21845896
Domain Admins is member of all local Administrators on each computer and have by that full control of all computers.
Use the local Administrators (or other builtin local group) for NTFS-permissions if you don't want to create your own custom AD-groups for resource management.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21846231
OK I created a new Universal group in the hope that I could add the trusted external account to this and then assign this group to ACLs on our domain buttttt when I tried to add the user account to this group it couldnt be found, even when I select Entire Directory as the search location.

I created a global group and the same thing happened (as expected) but then I created a Domain Local group and found that this let me add the account from the other domain... which I dont understand?
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 1000 total points
ID: 21846633
http://technet2.microsoft.com/windowsserver/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
Universal groups can contain members from any domain in the same forest. As you're having an external trust, you can't use unviersal groups.
Global groups can contain members from the same domain as the group.
Domain local groups can contain members from any domain.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21846710
Oh... bit of a weird name for them then eh. Domain local, out of all the group scopes sounds like the one that would only allow you to add users from the same domain (and you would of thought global would allow inter-forest members, then Universal allow everything).

I have created a domain local group and added the external domain account to it, I'll add this group to the ACLs we need to be able to access and post up the results :)
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21846964
The name of the group scopes is more the other side of the coin... Look on where you're using the groups instead of what members are added to them.
Domain local groups can contain member from other domains, but can only be used for permissions in the local domain.
Global groups can only contain members from the same domain, but can be used for permissions in any domain.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21847078
Yeah I see what you mean.
I've added the domain local group (with the external account in it) to the ACL of a directory here and got the user to log out and back in but they still cannot access that directory. I assume I may need to wait for replication or something?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21847262
The group membership may nead to replicate between DCs.
The NTFS-permissions shall be set immediately when clicking ok/apply.
Use folder properties->Security->Advanced->Effective permissions to validate the user's permissions.
If the directory accessed through a network share, you may also nead to modify the share permissions.
0
 
LVL 1

Author Comment

by:pgowing
ID: 21847292
Yeah the share permissions did not need modifying, but yeah I guess I will have to wait until tomorrow to see if its just not working yet due to replication.
Thanks
0
 
LVL 1

Author Comment

by:pgowing
ID: 23028455
After replication all worked fine.

Thanks
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question