Announcement

Collapse
No announcement yet.

AD security in forest environment

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD security in forest environment

    i have been a long time viewer of this site, but am only posting for the first time.

    i am in charge of our AD structure, which consists of a forest with about 6 domains. lets say the parent domain is A.com, and we have 6 child domain 1.A.com, 2.A.com -> 6.A.com

    we ahve recently had some trouble with the fact that all IT use a single admin account for each domain eg. Aadmin, 1admin, 2admin -> 6admin. the problem with this is that everyone knows the passwords hence leaving a large security flaw in the environment. it has been decided to create individual admin accounts for each IT user that they will use for making admin chagnes.

    i have set up 2 test accounts in A.com, and have replicated the permissions that Aadmin had in a global security group. this works fine.

    the problem i have is that to create groups in the child domains, i need to create them as global groups due to being part of domain admins. this creates a problem as i cannot get my 2 test accounts or global security group created in A.com to become members of the global security group i have created in 1.A.com.

    i have tried making the security group in 1.A.com as either domain local or universal, and i can add the accounts from the parent domain, but i cannot set the group to be a member of doamin admins.

    please give me some advice on how i can achieve this; i am open to all ideas.

    if you need more information, or i have been too cryptic, then let me know and i will try and explain thigs further.

    many thanks in advance

  • #2
    Re: AD security in forest environment

    isn't that why Enterprise Admins are for?
    anyway you may want to look at that post, that issue was raised once b4 although on a different matter but it is very similar.
    http://forums.petri.com/showthread.php?t=24936

    Comment

    Working...
    X