• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

Difference between logon domain and machine domain

Hi

We are emea.kam.com, we also have japan.kam.com and us.kam.com

Is it possible for a machine to be in one domain, yet have admins in those two other domains being able to log onto it?

AD is windows 2003.
0
kam_uk
Asked:
kam_uk
5 Solutions
 
ineedccsCommented:
yes it is most likely in the forest structure where this has been implemented
0
 
kam_ukAuthor Commented:
Thanks, but how does this work?
0
 
matthewrhoadesCommented:
Once you build your Active Directory "Forest", you can add the domain administrator accounts of each domain into "Enterprise Admins" group, giving them access to all domains in the forest.

If I remember correctly.

http://www.informit.com/articles/article.aspx?p=32080&seqNum=6
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
ineedccsCommented:
it is according to how the admins have setup the structure of the forest and who has access to what domains .. In active directory sites and services
0
 
ineedccsCommented:
and in the enterprise admin group
0
 
kam_ukAuthor Commented:
thanks guys

so would we need a two way trust between domains for this to work, or am i thinking of something else?
0
 
ineedccsCommented:
Well if they are part of the same forest already you should be able to just add them to enterprise admin group and that should work..
0
 
Mike KlineCommented:
You really want to limit access to enterprise admins, don't add to many people in that group.
Since domain admins is a global group that presents problems. (you can't nest domain admins from other domains into the group)
builtin\administrators is a domain local group so you could nest the domain admin groups from the other domains into that group.
However being in builtin\administrators doesn't make you a true domain admin.
Another method would be to create them a DA account in each domain.
You could also create a Universal group and use a group policy to add that group to the administrator group on all workstations and member servers.
Thanks
Mike
0
 
AmericomCommented:
***********
" emea.kam.com, we also have japan.kam.com and us.kam.com "
Is it possible for a machine to be in one domain, yet have admins in those two other domains being able to log onto it?
***********

NOTES:
Assuming you have a root domain "kam.com" and child domains "emea.kam.com", "japan.kam.com" and "us.kam.com" in a single forest model.

CLARIFICATIONS:
1. By default, all these domains have two-way trust established between each other. This means any user can logon to any member workstation belong to any one of the above domains provided that the user is logging onto the domain where it's account exist. So, when you are at the workstation logon windows, click on the drop down button, you will see your workstation computer name and the above domains to select from. Of course, if you use UPN, then you don't get the selection.

By default, the "Enterprise Admins" group is added to the Domain Local "Administrators" group of every domain in the forest, providing complete access to the configuration of all domain controllers. NOTES, this does not provide complete access to all member servers in all domain, not by default!, It requires you as the enterprise admin to create appropriate domain account and assign to the appropriate group such as Domain Admins group so that the created admin account would have complete access to all member servers and workstation within that specific domain, by default.

By default, each domain has a group called "Domain Admins" group and this group is a global group which means member of Enterprise Admins or the group itself cannot be a member of the Domain Admins group. You also cannot add members from other domain to be a member of this Domain Admins group. This means member of Enterprise Admins do not have complete access to all the workstation and servers in any of the domians, by default. It only have complete configuration to all the domain controllers in all domain, by default.

Like Mike stated above, you can nest the Domain Admins groups from the other domains into the builtin\administrators group of each domain but it only allow you to manage AD but not a ture Domain Admin that have access to all member servers and workstation within that domain.

This means even the member of the Enterprise Admins group does not necessarily have complete access to all servers and workstation to all domain within the forest without extra account administration works.


By default, the
0
 
chrishudson123Commented:
Only the root Domain Admin can login to any domain by default in a forest,since he is part of "Enterprise Admin".If you want to give login access to other Domain admins,manually add "Domain Admins" global group of Ur remote domains to the local "Administrators" group.The local admin can login to the machine with Admin credential because when you join a machine to the domain,the "Domain Admins" of local domain will be added to the local "Administrators" group .
0
 
kam_ukAuthor Commented:
Thanks all
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now