Using a donain account cross domains

Hi guys,

Hope you are all well and can assist.

We have one forest, 2 domains:
Test.net
A.test.net

Domain account:
Test.net\service_quest

I need the above account to be a member of the local administrators group on all domain controllers in BOTH domains.

Could one of you gurus please direct me as to how this might be done?

Any help greatly appreciated.
LVL 1
Simon336697Asked:
Who is Participating?
 
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
The best method to assign permission are AGDULP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups, considering you have already trust in place b/w them.

In order to add users in AD from one domain another domain either to computers/groups/AD,then you need to use AGDULP method. Also, add the DNS suffix in the clients NIC for faster domain location.

-Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.http://technet.microsoft.com/en-us/library/bb742592.aspx

Accessing resources across forests
http://technet.microsoft.com/en-us/library/cc772808%28WS.10%29.aspx
0
 
Brian PierceConnect With a Mentor PhotographerCommented:
Create this group as a universal group
Create a  global group on each domain
make the global groups members of the universal group
add the user accounts to the global groups in the domain
use restricted groups to assign the universal group to local admins see http://myitforum.com/myitforumwp/2011/09/30/how-to-add-domain-accounts-to-local-administrators-group-using-gpo/
0
 
Simon336697Author Commented:
Hi KTS,

Thanks so much for your help :>)

When you say..
"Create this group as a universal group"
I'm not sure I understand...
What group and in what domain?

Thank you
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
SandeshdubeySenior Server EngineerCommented:
Above steps are for resource access.But as you wantDomain Admin rights on a cross-forest domain trust see this from setp 3 onward.

Domain Admin rights on a cross-forest domain trust
http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login
0
 
Simon336697Author Commented:
Hi Sandeshdubey,

Thank you mate.

Can  I please clarify with you what you are saying below?

Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.

What I need to know is this.

Given I have the below..
2 domains (Test.net         and        A.test.net)
Domain account:        Test.net\service_quest

and want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST):

Do I:

1) Add test.net\service_quest to:

test.net\quest users (global group) - is this global group created in test.net or A.test.net?

then

2) Add test.net\quest users to:

test.net\uniquest users (universal group) - is this universal created in test.net or A.test.net?

then

3) Add  test.net\uniquest users to:

A.test.net\dlquest users (domain local group) to the group you want to assign the permission.

Im getting confused in which domains to create these accounts...whether it is the root or subdomain.
0
 
SandeshdubeySenior Server EngineerCommented:
"want Test.net\service_quest to be a member of the local administrators group on all domain controllers in BOTH the root and sub domains (of the SAME FOREST)"

There is no local admin group on DC you can add your user id to domain admin group or administrator group in both forest to have domain rights on Dcs.

If you want workstation also then you need to use restricted group policy.http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login

The above steps for group is for resource access as you dont want that ignore the same.
0
 
Simon336697Author Commented:
Hi sandesh.
Thank you so much.
0
 
Simon336697Author Commented:
Thank you and sorry for the delay.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.