We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Difference between logon domain and machine domain

Medium Priority
Last Modified: 2012-05-06

We are emea.kam.com, we also have japan.kam.com and us.kam.com

Is it possible for a machine to be in one domain, yet have admins in those two other domains being able to log onto it?

AD is windows 2003.
Watch Question

yes it is most likely in the forest structure where this has been implemented


Thanks, but how does this work?
Once you build your Active Directory "Forest", you can add the domain administrator accounts of each domain into "Enterprise Admins" group, giving them access to all domains in the forest.

If I remember correctly.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
it is according to how the admins have setup the structure of the forest and who has access to what domains .. In active directory sites and services

and in the enterprise admin group


thanks guys

so would we need a two way trust between domains for this to work, or am i thinking of something else?

Well if they are part of the same forest already you should be able to just add them to enterprise admin group and that should work..
Top Expert 2013
You really want to limit access to enterprise admins, don't add to many people in that group.
Since domain admins is a global group that presents problems. (you can't nest domain admins from other domains into the group)
builtin\administrators is a domain local group so you could nest the domain admin groups from the other domains into that group.
However being in builtin\administrators doesn't make you a true domain admin.
Another method would be to create them a DA account in each domain.
You could also create a Universal group and use a group policy to add that group to the administrator group on all workstations and member servers.
" emea.kam.com, we also have japan.kam.com and us.kam.com "
Is it possible for a machine to be in one domain, yet have admins in those two other domains being able to log onto it?

Assuming you have a root domain "kam.com" and child domains "emea.kam.com", "japan.kam.com" and "us.kam.com" in a single forest model.

1. By default, all these domains have two-way trust established between each other. This means any user can logon to any member workstation belong to any one of the above domains provided that the user is logging onto the domain where it's account exist. So, when you are at the workstation logon windows, click on the drop down button, you will see your workstation computer name and the above domains to select from. Of course, if you use UPN, then you don't get the selection.

By default, the "Enterprise Admins" group is added to the Domain Local "Administrators" group of every domain in the forest, providing complete access to the configuration of all domain controllers. NOTES, this does not provide complete access to all member servers in all domain, not by default!, It requires you as the enterprise admin to create appropriate domain account and assign to the appropriate group such as Domain Admins group so that the created admin account would have complete access to all member servers and workstation within that specific domain, by default.

By default, each domain has a group called "Domain Admins" group and this group is a global group which means member of Enterprise Admins or the group itself cannot be a member of the Domain Admins group. You also cannot add members from other domain to be a member of this Domain Admins group. This means member of Enterprise Admins do not have complete access to all the workstation and servers in any of the domians, by default. It only have complete configuration to all the domain controllers in all domain, by default.

Like Mike stated above, you can nest the Domain Admins groups from the other domains into the builtin\administrators group of each domain but it only allow you to manage AD but not a ture Domain Admin that have access to all member servers and workstation within that domain.

This means even the member of the Enterprise Admins group does not necessarily have complete access to all servers and workstation to all domain within the forest without extra account administration works.

By default, the
Chris HudsonCloud Security Architect
Only the root Domain Admin can login to any domain by default in a forest,since he is part of "Enterprise Admin".If you want to give login access to other Domain admins,manually add "Domain Admins" global group of Ur remote domains to the local "Administrators" group.The local admin can login to the machine with Admin credential because when you join a machine to the domain,the "Domain Admins" of local domain will be added to the local "Administrators" group .


Thanks all
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.