Wireless Networks Thread, Cross-domain administration in Technical; I have 3 domains - students, employees, and a resource domain with services that both domains use. They are running ...
12th April 2010, 09:46 PM #1
I have 3 domains - students, employees, and a resource domain with services that both domains use. They are running on Server 2008 at 2008 functional level. I'd like for IT users in the employee domain to be able to use Active Directory Users & Computers (ADUC) locally on their computers for all 3 domains rather than having to RDP into the other two domains.
Employee domain administrators can't administer the resource domain, and I assume that the lack of explicitly granted permission is why. Once I get that working I will do the same for the student domain.
There exists a one-way trust such that users on the employee domain can be granted access to stuff on the resource domain. For example, I can easily add any user from the student or employee domain to file permissions on a resource domain computer.
However, if in ADUC on the resource domain I try to add another domain's user to a Universal security group, which should work, I cannot even choose the domain. It doesn't show up when I click "Locations", and if I instead type the username preceded by the domain (or follow it with @domain), it fails.
Am I trying to do the right thing but failing, or am I going in a totally wrong direction?
13th April 2010, 04:00 PM #2
Bump. Does anyone have separate Active Directory domains for employees and students, and administer both from a computer on one domain?
13th April 2010, 04:08 PM #3
18 hours does not qualify you for a bump. How rude.
In answer: yes, I used to run a forest of four domains from one console, quite happily with a two-way trust. I'm not an expert though, I never dared play once I'd set it up.
13th April 2010, 04:14 PM #4
Sorry, on other forums where I'm a member that's acceptable. I won't do that again here.
I have made a small bit of progress. I was able to add users from another domain to a local security group, but I can't add that group to the Domain Admins group. Is there a way to grant administration priveleges directly to the group?
13th April 2010, 04:18 PM #5
Isn't the domain admins group domain-local?
13th April 2010, 04:21 PM #6
The Domain Admins group is Global.
13th April 2010, 04:42 PM #7
Grant the group Full Control over the domain, or the branch of it you want them to manage?
Originally Posted by ronanian
Better for your purposes though might be to just choose to delegate control to those groups.
Thanks to jamesb from:
ronanian (13th April 2010)
13th April 2010, 05:34 PM #8
Ah! I have never done that before. I've never worked on a large or complex enough AD to need to delegate that way; I've always just added users to the Domain Admins group.
I think I've got a few small bugs to work out but my problem is substantially solved now.
By hermiod in forum Wireless Networks
Last Post: 22nd February 2010, 07:34 PM
By Wolfman in forum How do you do....it?
Last Post: 16th October 2009, 06:13 PM
By Wolfman in forum Windows Server 2000/2003
Last Post: 15th October 2009, 11:31 AM
By _techie_ in forum Windows Server 2000/2003
Last Post: 2nd February 2009, 08:29 AM
By galloshes in forum Windows
Last Post: 27th March 2008, 03:06 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread