Windows Server 2008 R2 Child Domain and Admin Rights

In my lab I have a Domain called EngLab. This is the root domain in the forest. I do not want any user to have domain admin rights so I created a group called "ENGLAB\Engineering Users". I created an OU and put stuff in there for them to be able to play with..

I created a child domain called prod.englab. Prod is as realistically close to Production as I can make it. It is also where I want my users to play in with the ability to change anything they want down there.

I want to take the ENGLAB\Engineering Users (Domain Global) and put them in "PROD\Domain Admins".

Can someone who has done this, give me the step by step directions on thios since the article on the internet are not working for me.

Thank you for your time and patience!
MarkhamLA1979Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Englab\Engineering users can't be members of PROD\Domain Admins

The reason you can't add a member from another domain is because the domain admin group is a global group and global groups can only contain

Accounts from the same domain as the parent global group
Global groups from the same domain as the parent global group

There is the built-in administrators group which does replicate to every DC but not a member of local admin on all the comptuer objects by default like domain admins.

You could also create them a second account.

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MarkhamLA1979Author Commented:
So there is no way that I can make a user from ENGLAB a DA in Prod without a new account? That seems weird to me?
0
Mike KlineCommented:
Correct, but just think about it because it is a global group you can't add members from outside domains.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

MarkhamLA1979Author Commented:
That seems somewhat contradictory to the idea that a parent user can be used to manage a child domain. Seems backwards.
0
Encrypted1024Commented:
There are some work arounds. You can use delegation in your child domain. Create a Universal group and add your users. Then delegate permissions in the child domain to that group. You can achieve almost all of the features of Domain Admin. What is easire is to use a restricted group policy.

Create a Universal Group in parent domain. Add users. In Child domain create a new GPO at the domain root. Go to restricted groups in group policy. Add your Universal group to restricted groups and make it always a member of Administrators. That way your universal group will always be an Administrator on any box on that domain. That is how I manage my multiple domain environment. It will let you do most things.
0
Encrypted1024Commented:
I believe my restricted group policy solution will (and may have) meet his expectations.
Here is a snippet from another post I wrote:
**
Encrypted1024:
You can add them to the administrators group on every server by using a restricted groups policy. First make a Universal Group Called Forest Admins or something or use an existing group and put your users you want in it. Then create a new GPO on the OU that contains your servers. Navigate to:
Computer Policy>Windows Settings>Security Settings>Restricted Groups.
Select Add Group. Browse and select your group that contains the user that you want to be Forest Admins. The select "This group is a member of" and type administrators in the box.
This will make the users that are in your Forest Admin group be Administrators on any computer that you attach the GPO to.
 
**
Maybe those instructions are more clear.
If you add the GPO at the root or attach it to the DC OU it will give you the equivalent of domain admin rights in the child domain.  
0
Encrypted1024Commented:

I believe my restricted group policy solution will (and may have) meet his expectations.
Here is a snippet from another post I wrote:
**
Encrypted1024:
You can add them to the administrators group on every server by using a restricted groups policy. First make a Universal Group Called Forest Admins or something or use an existing group and put your users you want in it. Then create a new GPO on the OU that contains your servers. Navigate to:
Computer Policy>Windows Settings>Security Settings>Restricted Groups.
Select Add Group. Browse and select your group that contains the user that you want to be Forest Admins. The select "This group is a member of" and type administrators in the box.
This will make the users that are in your Forest Admin group be Administrators on any computer that you attach the GPO to.
 
**
Maybe those instructions are more clear.
If you add the GPO at the root or attach it to the DC OU it will give you the equivalent of domain admin rights in the child domain.  
0
Encrypted1024Commented:
3) Accept one or more Expert posts as the answer
 ID: 28695576

 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.