Difference between logon domain and machine domain


We are emea.kam.com, we also have japan.kam.com and us.kam.com

Is it possible for a machine to be in one domain, yet have admins in those two other domains being able to log onto it?

AD is windows 2003.
Who is Participating?
matthewrhoadesConnect With a Mentor Commented:
Once you build your Active Directory "Forest", you can add the domain administrator accounts of each domain into "Enterprise Admins" group, giving them access to all domains in the forest.

If I remember correctly.

yes it is most likely in the forest structure where this has been implemented
kam_ukAuthor Commented:
Thanks, but how does this work?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

ineedccsConnect With a Mentor Commented:
it is according to how the admins have setup the structure of the forest and who has access to what domains .. In active directory sites and services
and in the enterprise admin group
kam_ukAuthor Commented:
thanks guys

so would we need a two way trust between domains for this to work, or am i thinking of something else?
Well if they are part of the same forest already you should be able to just add them to enterprise admin group and that should work..
Mike KlineConnect With a Mentor Commented:
You really want to limit access to enterprise admins, don't add to many people in that group.
Since domain admins is a global group that presents problems. (you can't nest domain admins from other domains into the group)
builtin\administrators is a domain local group so you could nest the domain admin groups from the other domains into that group.
However being in builtin\administrators doesn't make you a true domain admin.
Another method would be to create them a DA account in each domain.
You could also create a Universal group and use a group policy to add that group to the administrator group on all workstations and member servers.
AmericomConnect With a Mentor Commented:
" emea.kam.com, we also have japan.kam.com and us.kam.com "
Is it possible for a machine to be in one domain, yet have admins in those two other domains being able to log onto it?

Assuming you have a root domain "kam.com" and child domains "emea.kam.com", "japan.kam.com" and "us.kam.com" in a single forest model.

1. By default, all these domains have two-way trust established between each other. This means any user can logon to any member workstation belong to any one of the above domains provided that the user is logging onto the domain where it's account exist. So, when you are at the workstation logon windows, click on the drop down button, you will see your workstation computer name and the above domains to select from. Of course, if you use UPN, then you don't get the selection.

By default, the "Enterprise Admins" group is added to the Domain Local "Administrators" group of every domain in the forest, providing complete access to the configuration of all domain controllers. NOTES, this does not provide complete access to all member servers in all domain, not by default!, It requires you as the enterprise admin to create appropriate domain account and assign to the appropriate group such as Domain Admins group so that the created admin account would have complete access to all member servers and workstation within that specific domain, by default.

By default, each domain has a group called "Domain Admins" group and this group is a global group which means member of Enterprise Admins or the group itself cannot be a member of the Domain Admins group. You also cannot add members from other domain to be a member of this Domain Admins group. This means member of Enterprise Admins do not have complete access to all the workstation and servers in any of the domians, by default. It only have complete configuration to all the domain controllers in all domain, by default.

Like Mike stated above, you can nest the Domain Admins groups from the other domains into the builtin\administrators group of each domain but it only allow you to manage AD but not a ture Domain Admin that have access to all member servers and workstation within that domain.

This means even the member of the Enterprise Admins group does not necessarily have complete access to all servers and workstation to all domain within the forest without extra account administration works.

By default, the
Chris HudsonConnect With a Mentor Cloud Security ArchitectCommented:
Only the root Domain Admin can login to any domain by default in a forest,since he is part of "Enterprise Admin".If you want to give login access to other Domain admins,manually add "Domain Admins" global group of Ur remote domains to the local "Administrators" group.The local admin can login to the machine with Admin credential because when you join a machine to the domain,the "Domain Admins" of local domain will be added to the local "Administrators" group .
kam_ukAuthor Commented:
Thanks all
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.