No announcement yet.

AD security in forest environment

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD security in forest environment

    i have been a long time viewer of this site, but am only posting for the first time.

    i am in charge of our AD structure, which consists of a forest with about 6 domains. lets say the parent domain is, and we have 6 child domain, ->

    we ahve recently had some trouble with the fact that all IT use a single admin account for each domain eg. Aadmin, 1admin, 2admin -> 6admin. the problem with this is that everyone knows the passwords hence leaving a large security flaw in the environment. it has been decided to create individual admin accounts for each IT user that they will use for making admin chagnes.

    i have set up 2 test accounts in, and have replicated the permissions that Aadmin had in a global security group. this works fine.

    the problem i have is that to create groups in the child domains, i need to create them as global groups due to being part of domain admins. this creates a problem as i cannot get my 2 test accounts or global security group created in to become members of the global security group i have created in

    i have tried making the security group in as either domain local or universal, and i can add the accounts from the parent domain, but i cannot set the group to be a member of doamin admins.

    please give me some advice on how i can achieve this; i am open to all ideas.

    if you need more information, or i have been too cryptic, then let me know and i will try and explain thigs further.

    many thanks in advance

  • #2
    Re: AD security in forest environment

    isn't that why Enterprise Admins are for?
    anyway you may want to look at that post, that issue was raised once b4 although on a different matter but it is very similar.