Solved

Using a donain account cross domains

Posted on 2013-10-24
8
338 Views
Last Modified: 2013-12-16
Hi guys,

Hope you are all well and can assist.

We have one forest, 2 domains:
Test.net
A.test.net

Domain account:
Test.net\service_quest

I need the above account to be a member of the local administrators group on all domain controllers in BOTH domains.

Could one of you gurus please direct me as to how this might be done?

Any help greatly appreciated.
0
Comment
Question by:Simon336697
  • 4
  • 3
8 Comments
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 90 total points
ID: 39599738
Create this group as a universal group
Create a  global group on each domain
make the global groups members of the universal group
add the user accounts to the global groups in the domain
use restricted groups to assign the universal group to local admins see http://myitforum.com/myitforumwp/2011/09/30/how-to-add-domain-accounts-to-local-administrators-group-using-gpo/
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39600059
Hi KTS,

Thanks so much for your help :>)

When you say..
"Create this group as a universal group"
I'm not sure I understand...
What group and in what domain?

Thank you
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 410 total points
ID: 39606326
The best method to assign permission are AGDULP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups, considering you have already trust in place b/w them.

In order to add users in AD from one domain another domain either to computers/groups/AD,then you need to use AGDULP method. Also, add the DNS suffix in the clients NIC for faster domain location.

-Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.http://technet.microsoft.com/en-us/library/bb742592.aspx

Accessing resources across forests
http://technet.microsoft.com/en-us/library/cc772808%28WS.10%29.aspx
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39606334
Above steps are for resource access.But as you wantDomain Admin rights on a cross-forest domain trust see this from setp 3 onward.

Domain Admin rights on a cross-forest domain trust
http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39613597
Hi Sandeshdubey,

Thank you mate.

Can  I please clarify with you what you are saying below?

Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.

What I need to know is this.

Given I have the below..
2 domains (Test.net         and        A.test.net)
Domain account:        Test.net\service_quest

and want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST):

Do I:

1) Add test.net\service_quest to:

test.net\quest users (global group) - is this global group created in test.net or A.test.net?

then

2) Add test.net\quest users to:

test.net\uniquest users (universal group) - is this universal created in test.net or A.test.net?

then

3) Add  test.net\uniquest users to:

A.test.net\dlquest users (domain local group) to the group you want to assign the permission.

Im getting confused in which domains to create these accounts...whether it is the root or subdomain.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39615334
"want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST)"

There is no local admin group on DC you can add your user id to domain admin group or administrator group in both forest to have domain rights on Dcs.

If you want workstation also then you need to use restricted group policy.http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login

The above steps for group is for resource access as you dont want that ignore the same.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39615366
Hi sandesh.
Thank you so much.
0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 39723103
Thank you and sorry for the delay.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question