+ Post New Thread
Results 1 to 8 of 8
Wireless Networks Thread, Cross-domain administration in Technical; I have 3 domains - students, employees, and a resource domain with services that both domains use. They are running ...
  1. #1
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14

    Question Cross-domain administration

    I have 3 domains - students, employees, and a resource domain with services that both domains use. They are running on Server 2008 at 2008 functional level. I'd like for IT users in the employee domain to be able to use Active Directory Users & Computers (ADUC) locally on their computers for all 3 domains rather than having to RDP into the other two domains.

    Employee domain administrators can't administer the resource domain, and I assume that the lack of explicitly granted permission is why. Once I get that working I will do the same for the student domain.

    There exists a one-way trust such that users on the employee domain can be granted access to stuff on the resource domain. For example, I can easily add any user from the student or employee domain to file permissions on a resource domain computer.

    However, if in ADUC on the resource domain I try to add another domain's user to a Universal security group, which should work, I cannot even choose the domain. It doesn't show up when I click "Locations", and if I instead type the username preceded by the domain (or follow it with @domain), it fails.

    Am I trying to do the right thing but failing, or am I going in a totally wrong direction?

  2. #2
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    Bump. Does anyone have separate Active Directory domains for employees and students, and administer both from a computer on one domain?

  3. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    18 hours does not qualify you for a bump. How rude.

    In answer: yes, I used to run a forest of four domains from one console, quite happily with a two-way trust. I'm not an expert though, I never dared play once I'd set it up.

  4. #4
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    Sorry, on other forums where I'm a member that's acceptable. I won't do that again here.

    I have made a small bit of progress. I was able to add users from another domain to a local security group, but I can't add that group to the Domain Admins group. Is there a way to grant administration priveleges directly to the group?

  5. #5

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Isn't the domain admins group domain-local?

  6. #6
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    The Domain Admins group is Global.

  7. #7

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,209
    Thank Post
    114
    Thanked 331 Times in 273 Posts
    Blog Entries
    4
    Rep Power
    115
    Quote Originally Posted by ronanian View Post
    Sorry, on other forums where I'm a member that's acceptable. I won't do that again here.

    I have made a small bit of progress. I was able to add users from another domain to a local security group, but I can't add that group to the Domain Admins group. Is there a way to grant administration priveleges directly to the group?
    Grant the group Full Control over the domain, or the branch of it you want them to manage?

    Better for your purposes though might be to just choose to delegate control to those groups.

  8. Thanks to jamesb from:

    ronanian (13th April 2010)

  9. #8
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    Ah! I have never done that before. I've never worked on a large or complex enough AD to need to delegate that way; I've always just added users to the Domain Admins group.

    I think I've got a few small bugs to work out but my problem is substantially solved now.

SHARE:
+ Post New Thread

Similar Threads

  1. Cross-domain authentication
    By hermiod in forum Wireless Networks
    Replies: 0
    Last Post: 22nd February 2010, 06:34 PM
  2. Cross Domain
    By Wolfman in forum How do you do....it?
    Replies: 4
    Last Post: 16th October 2009, 05:13 PM
  3. Cross Domain
    By Wolfman in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 15th October 2009, 10:31 AM
  4. Cross Domain Exchange Server
    By _techie_ in forum Windows Server 2000/2003
    Replies: 4
    Last Post: 2nd February 2009, 07:29 AM
  5. cross domain permissions
    By galloshes in forum Windows
    Replies: 1
    Last Post: 27th March 2008, 02:06 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •