Announcement

Collapse
No announcement yet.

nesting user/group into Domain Admins of a trusted domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • nesting user/group into Domain Admins of a trusted domain

    hey guys, got a quicky question for you.
    I am running a test lab for something involving 2 forests with one domain each, all 2003 FL.
    do you know if it's possible to nest a user/group into the domain Admins group of the other forest/domain?

    the only thing I found that works for me is nesting it into the "administrators" group in the AD (not local Administrators group of a server - don't get mixed up), as that nearly the same as Domain Admins?
    what difference is there between Domain Admins and Administrators groups in the AD?

  • #2
    Re: nesting user/group into Domain Admins of a trusted domain

    The "Administrators" group is where "Domain Admins" gets its powers from. All the Arcane Words of Power the Domain Admin can speak, are granted to it by membership of the "Administrators" group.

    Unfortunately, because the "Administrators" group is a Domain Local (BUILTIN) group, and the "Domain Admins" group is a Domain Global group, you cannot add groups from foreign domains into the Domain Admins group directly. Also, because a lot of domain functions and file permissions are granted to Domain Admins by default (as opposed to Administrators), it's difficult to grant members of foreign domains the access you want to.

    Here's a strategy which I have not tried in the real world but SHOULD work.

    First create a two way Forest Trust between your two forests - this will allow cross-forest authentication and therefore granting of permissions. Let's call them forest A and forest B. Let's call the root domains A1 and B1, and let's assume that you want to allow Domain Admins in A1 access to a resource in B1.

    Create a universal group in B1 called "ug_Admins". Create a Domain Local group in B1 called "lg_Admins". Make "ug_Admins" a member of "lg_Admins". Make "lg_Admins" a member of Domain Admins in B1. There - anyone in ug_Admins is now a Domain Admin of Domain B1.

    Wait for GC Replication - this step is VITALLY important.

    Create a domain local group in A1 called "lg_A Admins". Make "A1\BUILTIN\Administrators" a member of it. Make "lg_A Admins" a member of "ug_Admins" - theoretically any member of a group which is a member of "Administrators" in A1 is now also a Domain Admin in B1.

    If anyone spots any glaring holes in this (like I've got my permitted memberships upside down) please feel free to rip this to bits.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: nesting user/group into Domain Admins of a trusted domain

      it sounds logical to me that method.
      the question I am sill having hard time to understand is, what do I loose if I attach the user from domain A to the Administrators group in Domain B rather then doing that trick making him a Domain Admin.
      in other words , are there things that Domain Admins can do that Administrators group can't or vise versa?

      Comment


      • #4
        Re: nesting user/group into Domain Admins of a trusted domain

        You can't use universal groups for cross-forest permissioning. Universal groups can not cross forest boundary as they live in GC and GCs do not share information between forests.

        There is no easy solution. Making a user account from another forest a member of Administrators group will give it *some* power, but the default ACLs will not let the account fully administer the domain. Being a member of Administrators does give you enough permissions to alter the ACLs and eventually do whatever you want, but you will have to touch way too many ACLs - not a wise choice if you ask me.

        The easiest way to cope with it is to create an additional account in the domain you want to administer and make it a member of Domain Admin group.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: nesting user/group into Domain Admins of a trusted domain

          Originally posted by Akila View Post
          in other words , are there things that Domain Admins can do that Administrators group can't or vise versa?
          I am way oversimplifying it, but the rule of thumb is that OS level permissions are granted via Administrators group, while most of AD permissions leverage the "Domain Admins" group.
          Members of Administrators group will be able to change permissions/take ownership of objects in AD, but will not have, by default, administrative permissions equivalent to DAs.

          Bottom line: DAs have more permissions based on the default ACLs (DAs are members of Administratos), but you should treat them as DAs as they can gain access to anything DAs have access to.
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: nesting user/group into Domain Admins of a trusted domain

            there is one problem with you suggestion and that is the fact that only global groups can be members of global groups, and it so happens that domain admins is a global group, so you wont be able to add lg_admins to domain admins

            Comment


            • #7
              Re: nesting user/group into Domain Admins of a trusted domain

              there is one thing you did not take in count and it is that a global group could not nest another global group (maybe any other groups as well) outside it's domain and that was the issue of this post.
              only a domain local group could nest a global group from other domains - i am not sure if the case is true on other domains within the same forest, but as far as inter forest goes , it could not nest them.
              Last edited by Akila; 16th July 2008, 19:52.

              Comment


              • #8
                Re: nesting user/group into Domain Admins of a trusted domain

                Yeah, Chris Birley just said that. Now I feel DOUBLE stupid. Thanks.

                With that restriction, it cannot be done.


                Tom
                For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                Anything you say will be misquoted and used against you

                Comment

                Working...
                X