?
Solved

Using a donain account cross domains

Posted on 2013-10-24
8
Medium Priority
?
353 Views
Last Modified: 2013-12-16
Hi guys,

Hope you are all well and can assist.

We have one forest, 2 domains:
Test.net
A.test.net

Domain account:
Test.net\service_quest

I need the above account to be a member of the local administrators group on all domain controllers in BOTH domains.

Could one of you gurus please direct me as to how this might be done?

Any help greatly appreciated.
0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 360 total points
ID: 39599738
Create this group as a universal group
Create a  global group on each domain
make the global groups members of the universal group
add the user accounts to the global groups in the domain
use restricted groups to assign the universal group to local admins see http://myitforum.com/myitforumwp/2011/09/30/how-to-add-domain-accounts-to-local-administrators-group-using-gpo/
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39600059
Hi KTS,

Thanks so much for your help :>)

When you say..
"Create this group as a universal group"
I'm not sure I understand...
What group and in what domain?

Thank you
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1640 total points
ID: 39606326
The best method to assign permission are AGDULP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups, considering you have already trust in place b/w them.

In order to add users in AD from one domain another domain either to computers/groups/AD,then you need to use AGDULP method. Also, add the DNS suffix in the clients NIC for faster domain location.

-Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.http://technet.microsoft.com/en-us/library/bb742592.aspx

Accessing resources across forests
http://technet.microsoft.com/en-us/library/cc772808%28WS.10%29.aspx
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39606334
Above steps are for resource access.But as you wantDomain Admin rights on a cross-forest domain trust see this from setp 3 onward.

Domain Admin rights on a cross-forest domain trust
http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39613597
Hi Sandeshdubey,

Thank you mate.

Can  I please clarify with you what you are saying below?

Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.

What I need to know is this.

Given I have the below..
2 domains (Test.net         and        A.test.net)
Domain account:        Test.net\service_quest

and want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST):

Do I:

1) Add test.net\service_quest to:

test.net\quest users (global group) - is this global group created in test.net or A.test.net?

then

2) Add test.net\quest users to:

test.net\uniquest users (universal group) - is this universal created in test.net or A.test.net?

then

3) Add  test.net\uniquest users to:

A.test.net\dlquest users (domain local group) to the group you want to assign the permission.

Im getting confused in which domains to create these accounts...whether it is the root or subdomain.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39615334
"want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST)"

There is no local admin group on DC you can add your user id to domain admin group or administrator group in both forest to have domain rights on Dcs.

If you want workstation also then you need to use restricted group policy.http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login

The above steps for group is for resource access as you dont want that ignore the same.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39615366
Hi sandesh.
Thank you so much.
0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 39723103
Thank you and sorry for the delay.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question