Solved

Using a donain account cross domains

Posted on 2013-10-24
8
335 Views
Last Modified: 2013-12-16
Hi guys,

Hope you are all well and can assist.

We have one forest, 2 domains:
Test.net
A.test.net

Domain account:
Test.net\service_quest

I need the above account to be a member of the local administrators group on all domain controllers in BOTH domains.

Could one of you gurus please direct me as to how this might be done?

Any help greatly appreciated.
0
Comment
Question by:Simon336697
  • 4
  • 3
8 Comments
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 90 total points
Comment Utility
Create this group as a universal group
Create a  global group on each domain
make the global groups members of the universal group
add the user accounts to the global groups in the domain
use restricted groups to assign the universal group to local admins see http://myitforum.com/myitforumwp/2011/09/30/how-to-add-domain-accounts-to-local-administrators-group-using-gpo/
0
 
LVL 1

Author Comment

by:Simon336697
Comment Utility
Hi KTS,

Thanks so much for your help :>)

When you say..
"Create this group as a universal group"
I'm not sure I understand...
What group and in what domain?

Thank you
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 410 total points
Comment Utility
The best method to assign permission are AGDULP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups, considering you have already trust in place b/w them.

In order to add users in AD from one domain another domain either to computers/groups/AD,then you need to use AGDULP method. Also, add the DNS suffix in the clients NIC for faster domain location.

-Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.http://technet.microsoft.com/en-us/library/bb742592.aspx

Accessing resources across forests
http://technet.microsoft.com/en-us/library/cc772808%28WS.10%29.aspx
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
Above steps are for resource access.But as you wantDomain Admin rights on a cross-forest domain trust see this from setp 3 onward.

Domain Admin rights on a cross-forest domain trust
http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:Simon336697
Comment Utility
Hi Sandeshdubey,

Thank you mate.

Can  I please clarify with you what you are saying below?

Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.

What I need to know is this.

Given I have the below..
2 domains (Test.net         and        A.test.net)
Domain account:        Test.net\service_quest

and want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST):

Do I:

1) Add test.net\service_quest to:

test.net\quest users (global group) - is this global group created in test.net or A.test.net?

then

2) Add test.net\quest users to:

test.net\uniquest users (universal group) - is this universal created in test.net or A.test.net?

then

3) Add  test.net\uniquest users to:

A.test.net\dlquest users (domain local group) to the group you want to assign the permission.

Im getting confused in which domains to create these accounts...whether it is the root or subdomain.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
"want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST)"

There is no local admin group on DC you can add your user id to domain admin group or administrator group in both forest to have domain rights on Dcs.

If you want workstation also then you need to use restricted group policy.http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login

The above steps for group is for resource access as you dont want that ignore the same.
0
 
LVL 1

Author Comment

by:Simon336697
Comment Utility
Hi sandesh.
Thank you so much.
0
 
LVL 1

Author Closing Comment

by:Simon336697
Comment Utility
Thank you and sorry for the delay.
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now