Solved

Using a donain account cross domains

Posted on 2013-10-24
8
336 Views
Last Modified: 2013-12-16
Hi guys,

Hope you are all well and can assist.

We have one forest, 2 domains:
Test.net
A.test.net

Domain account:
Test.net\service_quest

I need the above account to be a member of the local administrators group on all domain controllers in BOTH domains.

Could one of you gurus please direct me as to how this might be done?

Any help greatly appreciated.
0
Comment
Question by:Simon336697
  • 4
  • 3
8 Comments
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 90 total points
ID: 39599738
Create this group as a universal group
Create a  global group on each domain
make the global groups members of the universal group
add the user accounts to the global groups in the domain
use restricted groups to assign the universal group to local admins see http://myitforum.com/myitforumwp/2011/09/30/how-to-add-domain-accounts-to-local-administrators-group-using-gpo/
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39600059
Hi KTS,

Thanks so much for your help :>)

When you say..
"Create this group as a universal group"
I'm not sure I understand...
What group and in what domain?

Thank you
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 410 total points
ID: 39606326
The best method to assign permission are AGDULP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups, considering you have already trust in place b/w them.

In order to add users in AD from one domain another domain either to computers/groups/AD,then you need to use AGDULP method. Also, add the DNS suffix in the clients NIC for faster domain location.

-Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.http://technet.microsoft.com/en-us/library/bb742592.aspx

Accessing resources across forests
http://technet.microsoft.com/en-us/library/cc772808%28WS.10%29.aspx
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39606334
Above steps are for resource access.But as you wantDomain Admin rights on a cross-forest domain trust see this from setp 3 onward.

Domain Admin rights on a cross-forest domain trust
http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 1

Author Comment

by:Simon336697
ID: 39613597
Hi Sandeshdubey,

Thank you mate.

Can  I please clarify with you what you are saying below?

Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.

What I need to know is this.

Given I have the below..
2 domains (Test.net         and        A.test.net)
Domain account:        Test.net\service_quest

and want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST):

Do I:

1) Add test.net\service_quest to:

test.net\quest users (global group) - is this global group created in test.net or A.test.net?

then

2) Add test.net\quest users to:

test.net\uniquest users (universal group) - is this universal created in test.net or A.test.net?

then

3) Add  test.net\uniquest users to:

A.test.net\dlquest users (domain local group) to the group you want to assign the permission.

Im getting confused in which domains to create these accounts...whether it is the root or subdomain.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39615334
"want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST)"

There is no local admin group on DC you can add your user id to domain admin group or administrator group in both forest to have domain rights on Dcs.

If you want workstation also then you need to use restricted group policy.http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login

The above steps for group is for resource access as you dont want that ignore the same.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39615366
Hi sandesh.
Thank you so much.
0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 39723103
Thank you and sorry for the delay.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now