mwDev
asked on
Admin across two domains in the same forest
I have two Domains in the same forest (two way trust). Lets call them DomainA and DomainB.
I'm relatively new to running multiple domains in the same forest, but what I would like to do is have a user in DomainA to be able to login as an administrator to a member server on DomainB.
Does anyone have any ideas on how to do this?
DomainA = Windows 2008 Server
DomainB = Windows 2003 Server
DomainB member server = Windows 2003
I tried to set the user from Domain A as an administrator on DomainB. Active directory did allow me to make this setting, and when I login to the server running as DomainB I appear to have administrative privileges. The problem is when I try to login to the member server of domainB, I do not have administrative privileges.
Any help would be much appreciated.
I'm relatively new to running multiple domains in the same forest, but what I would like to do is have a user in DomainA to be able to login as an administrator to a member server on DomainB.
Does anyone have any ideas on how to do this?
DomainA = Windows 2008 Server
DomainB = Windows 2003 Server
DomainB member server = Windows 2003
I tried to set the user from Domain A as an administrator on DomainB. Active directory did allow me to make this setting, and when I login to the server running as DomainB I appear to have administrative privileges. The problem is when I try to login to the member server of domainB, I do not have administrative privileges.
Any help would be much appreciated.
What sort of trust is this exactly? Is it full two-way forest trust? What type of authentication is enabled on the trust? If selective authentication was selected, that could be the issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
make them a part of the enterprise admins group. this will give them admin access to all domains in the forest.
Oh. Sorry. I was reading your question as two forests.
ASKER
The Trust Type is "Tree-Root" Transitive "Yes"
I also don't have the option to select "Selective authentication". I don't have an authentication tab even showing in the properties of the trust.
I would make them apart of the enterprise admin group, but this opens security a little further then I would like.
Just to try it, I did add my user to the enterprise admin group, then logged into the member server and still no administrative privileges.
I also don't have the option to select "Selective authentication". I don't have an authentication tab even showing in the properties of the trust.
I would make them apart of the enterprise admin group, but this opens security a little further then I would like.
Just to try it, I did add my user to the enterprise admin group, then logged into the member server and still no administrative privileges.
do you want local admin right to the member server? if so just add the user to the local admins group on the member server. if not what do you want the user to be able to do exactly?
ASKER
Adding the user to the local Administrators Group does work.
Really all I want is for that user to have administration rights on the local computer. This accomplishes this, but is not what I would have expected.
Does anyone know why adding my user to be a member of DomainB Administrators Group does not work?
Really all I want is for that user to have administration rights on the local computer. This accomplishes this, but is not what I would have expected.
Does anyone know why adding my user to be a member of DomainB Administrators Group does not work?
I do not have a good answer to that one for you, I just tried it in my forest(setting a user from domain A with domain admin rights to domain B) and it worked. Possibly there is an issue with the trust between the domains. or maybe it was taking time to propagate the changes to AD. But just to be sure the solution worked and you have got what you need.... correct?
ASKER
Thanks for all your help smashpmk712... I think we just staring to address the real issue.
Although this does give me an answer on how to setup the admin rights for the user, it really does not address the root of the problem. If your servers are allowing this, why is it not working here? There must be something else preventing this from working correctly. The administration of security should be from a domain level and not a local computer level.
Although this does give me an answer on how to setup the admin rights for the user, it really does not address the root of the problem. If your servers are allowing this, why is it not working here? There must be something else preventing this from working correctly. The administration of security should be from a domain level and not a local computer level.
I just have to make sure.... but is the domain admins group from domain B in the local admins group of the member server?
ASKER
Yes they are...
I would remove the user from the local admins group then add him to the domain admins group for domain b and do a gpupdate \force on the member server and see if that helps things....
ASKER
I am not able to add users from DomainA to the members of Domain Admins in DomainB.
Perhaps since the Domain Admins group is not a Universal group on DomainB, You have to add the users to DomainB\Administrators(Bui
smashpmk712 you said you tired it on your server... Did you add the user to Domain Admins OR the Administrators group? What groups do you have set on your local administrators account for the member server?
Cheers,
Perhaps since the Domain Admins group is not a Universal group on DomainB, You have to add the users to DomainB\Administrators(Bui
smashpmk712 you said you tired it on your server... Did you add the user to Domain Admins OR the Administrators group? What groups do you have set on your local administrators account for the member server?
Cheers,
I added the user to the Domain admins group of Domain B which is part of the local dmins group on a member server in domain B
sorry I ment to type local admins group
ASKER
I'm not sure how this is working for you... The Domain Admins Group is a Global Group so you should not be able to add users from another domain.
If I open "Members" for "Domain Admins" on Domain B and then change the location to "DomainA" take a look in "Object Types" I can not add users. The only options showing are "Other Objects" and "Contacts" This is of course due to the fact that the "Domain Admins" group has a "Global" scope.
What type of Domain Trust are you running or are you running a sub Domain?
Perhaps the solution here is to create a group on DomainB with a Universal or Domain Local scope. Add my DomainA users to this group, then add this group to DomainB member server local administrators group.
I tried created a new group with a universal Scope and adding this users from DomainA to this group, then adding this group to DomainB Domain Admins group, but this did not work.. Not that I expected it to as this would defeat the purpose of Scopes.
If I open "Members" for "Domain Admins" on Domain B and then change the location to "DomainA" take a look in "Object Types" I can not add users. The only options showing are "Other Objects" and "Contacts" This is of course due to the fact that the "Domain Admins" group has a "Global" scope.
What type of Domain Trust are you running or are you running a sub Domain?
Perhaps the solution here is to create a group on DomainB with a Universal or Domain Local scope. Add my DomainA users to this group, then add this group to DomainB member server local administrators group.
I tried created a new group with a universal Scope and adding this users from DomainA to this group, then adding this group to DomainB Domain Admins group, but this did not work.. Not that I expected it to as this would defeat the purpose of Scopes.