Administrating multiple domains.

TechJunky

I have

abc.com
123.abc.com

I am unable to setup an account from abc.com domain to be part of a group from the 123.abc.com domain.

We have 2 way transitive trusts.

I am an enterprise and domain admin.

Any ideas?

macdude

I am assuming that 123.abc.com is a child domain from abc.com or are they 2 completely different domains?

dynamik

What type of group is it? I believe they're global by default, which is why you can't add members from other domains.

http://technet.microsoft.com/en-us/library/cc755692.aspx

TechJunky

I am trying to be apart of 123.abc.com domain admins group.

I was looking through dsadd and dsmod but I dont see a way to do it.

Your right, looks like its a global security group so I cant do it.

Bummer.

Guess I will just add myself to that domain quick, remove the groups i want and then delete my account on that domain.

dynamik

Can you add your account to the Enterprise Admins group?

astorrs

As others have said, Domain Admins is a global group.

If you don't want to make them members of the Enterprise Admins group (which I would advise you leave empty most of the time):

Create a universal group in 123.abc.com (let's say 123.abc.com\ABCAdmins for reference), add your abc.com account to 123.abc.com\ABCAdmins, then add 123.abc.com\ABCAdmins to 123.abc.com\Domain Admins.

That is a safe long-term strategy (assuming you need to do this on an on-going basis).

TechJunky

Thanks.

We are collapsing the domains shortly anyhow. I was just trying to clean up some things before the restructure and I only needed an account for that domain shortly. I was just hoping there was a quick easy way without creating more groups.

Thanks for all the help.

It's done.

blargoe

astorrs wrote:

As others have said, Domain Admins is a global group.

If you don't want to make them members of the Enterprise Admins group (which I would advise you leave empty most of the time):

Create a universal group in 123.abc.com (let's say 123.abc.com\ABCAdmins for reference), add your abc.com account to 123.abc.com\ABCAdmins, then add 123.abc.com\ABCAdmins to 123.abc.com\Domain Admins.

That is a safe long-term strategy (assuming you need to do this on an on-going basis).

I didn't think you could add universal groups to global groups?

You can add yourself to built-in Administrators in 123.abc.com which would give you rights on all the ADUC objects in that domain. Then create restricted groups policies to add groups containing the appropriate users in abc.com to the local administrators group on computers in 123.abc.com if you need it.

astorrs

blargoe wrote:

astorrs wrote:

As others have said, Domain Admins is a global group.

If you don't want to make them members of the Enterprise Admins group (which I would advise you leave empty most of the time):

Create a universal group in 123.abc.com (let's say 123.abc.com\ABCAdmins for reference), add your abc.com account to 123.abc.com\ABCAdmins, then add 123.abc.com\ABCAdmins to 123.abc.com\Domain Admins.

That is a safe long-term strategy (assuming you need to do this on an on-going basis).

I didn't think you could add universal groups to global groups?

You can add yourself to built-in Administrators in 123.abc.com which would give you rights on all the ADUC objects in that domain. Then create restricted groups policies to add groups containing the appropriate users in abc.com to the local administrators group on computers in 123.abc.com if you need it.

You're right, I must have lost my mind there. Sorry.