Administrating multiple domains.
I have
abc.com
123.abc.com
I am unable to setup an account from abc.com domain to be part of a group from the 123.abc.com domain.
We have 2 way transitive trusts.
I am an enterprise and domain admin.
Any ideas?
abc.com
123.abc.com
I am unable to setup an account from abc.com domain to be part of a group from the 123.abc.com domain.
We have 2 way transitive trusts.
I am an enterprise and domain admin.
Any ideas?
Comments
-
macdude Member Posts: 173I am assuming that 123.abc.com is a child domain from abc.com or are they 2 completely different domains?
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□What type of group is it? I believe they're global by default, which is why you can't add members from other domains.
http://technet.microsoft.com/en-us/library/cc755692.aspx -
TechJunky Member Posts: 881I am trying to be apart of 123.abc.com domain admins group.
I was looking through dsadd and dsmod but I dont see a way to do it.
Your right, looks like its a global security group so I cant do it.
Bummer.
Guess I will just add myself to that domain quick, remove the groups i want and then delete my account on that domain. -
astorrs Member Posts: 3,139 ■■■■■■□□□□As others have said, Domain Admins is a global group.
If you don't want to make them members of the Enterprise Admins group (which I would advise you leave empty most of the time):
Create a universal group in 123.abc.com (let's say 123.abc.com\ABCAdmins for reference), add your abc.com account to 123.abc.com\ABCAdmins, then add 123.abc.com\ABCAdmins to 123.abc.com\Domain Admins.
That is a safe long-term strategy (assuming you need to do this on an on-going basis). -
TechJunky Member Posts: 881Thanks.
We are collapsing the domains shortly anyhow. I was just trying to clean up some things before the restructure and I only needed an account for that domain shortly. I was just hoping there was a quick easy way without creating more groups.
Thanks for all the help.
It's done. -
blargoe Member Posts: 4,174 ■■■■■■■■■□astorrs wrote:As others have said, Domain Admins is a global group.
If you don't want to make them members of the Enterprise Admins group (which I would advise you leave empty most of the time):
Create a universal group in 123.abc.com (let's say 123.abc.com\ABCAdmins for reference), add your abc.com account to 123.abc.com\ABCAdmins, then add 123.abc.com\ABCAdmins to 123.abc.com\Domain Admins.
That is a safe long-term strategy (assuming you need to do this on an on-going basis).
You can add yourself to built-in Administrators in 123.abc.com which would give you rights on all the ADUC objects in that domain. Then create restricted groups policies to add groups containing the appropriate users in abc.com to the local administrators group on computers in 123.abc.com if you need it.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
astorrs Member Posts: 3,139 ■■■■■■□□□□blargoe wrote:astorrs wrote:As others have said, Domain Admins is a global group.
If you don't want to make them members of the Enterprise Admins group (which I would advise you leave empty most of the time):
Create a universal group in 123.abc.com (let's say 123.abc.com\ABCAdmins for reference), add your abc.com account to 123.abc.com\ABCAdmins, then add 123.abc.com\ABCAdmins to 123.abc.com\Domain Admins.
That is a safe long-term strategy (assuming you need to do this on an on-going basis).
You can add yourself to built-in Administrators in 123.abc.com which would give you rights on all the ADUC objects in that domain. Then create restricted groups policies to add groups containing the appropriate users in abc.com to the local administrators group on computers in 123.abc.com if you need it.