Announcement

Collapse
No announcement yet.

trust relationship in AD 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • trust relationship in AD 2003

    I have two different domain (A and B) and I have configured a trust relationship between these domains (two way). Every thin is OK and working fine.

    My issue. I have created a user X in domain B and I logged in with this user X on a machine joined to A domain and everything OK (I can log in) but the user x doesn't have full privilege for that machine.

    I went to domain B (where I created the user) and made him member of Administrators but still doesn’t have full privilege to the machine which joined to domain A.

    Appreciate your help!

  • #2
    Re: trust relationship in AD 2003

    Hi,

    can you explain more on this?
    but the user x doesn't have full privilege for that machine
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: trust relationship in AD 2003

      My Dear friend,

      When i login to the domain A with any new user created in domain B. i can login normally (that's mean the trust relationship is working fine). but after i login i don't have full privillage for the windows. I.e if i tried to open msconfig. it will says access denied or if i tried to open any othe user profile in C:\Documents and Settings\???? i have access denied. i need this user to have full privillage. as i mentioned befor i grant this user (x) a full privillage but still the same issue.

      Please let me know in case you need more details.

      regards

      Comment


      • #4
        Re: trust relationship in AD 2003

        Hi,

        You cannot login to DomainA with DomainB user or vice versa... do you have same account names created in both the domain this can cause confusion.

        For a normal AD user account such restrictions will be in effect. In order to elevate user's permission you can add him to domain admin group for the domain user is loggin in or if you want specific permissions or privileges to be given then you can do it using delegation and using groups
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment


        • #5
          Re: trust relationship in AD 2003

          on the computer that the user is logging in to, you must give them permissions as administrator, relevant to that specific computer.

          IE, on ComputerC in DomainB, you must add "domainA\UserZ" as a local administrator
          (or, if you're so inclined, DomainA\GroupY)
          just make sure your group has the right scope (Global, IIRC?)
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: trust relationship in AD 2003

            v-2nas and tehcamel,

            Thanks you both. maybe i did not give the correct idea for V-2nas (sorry it's my mistake and you was right about the user confusion).

            Anyhow, in AD user and computer i gave the user full control but this did not solve the problem.

            from the control panel on the machine i used user account to add that user as administartor for that appropriate and it works fine.

            why it's working from control panel /user account and not from the AD user and computer?

            Comment


            • #7
              Re: trust relationship in AD 2003

              Hi,

              why it's working from control panel /user account and not from the AD user and computer?

              You are making user a member of local administrator group and testing it on the same machine. However if you logon to a different machine then it will not longer work.
              If you want to modify and play with local system settings not active directory.
              You can make use of restricted groups and GPO that will make a give user/group a member of local administrator group on each machine where group policy will apply.

              http://www.windowsecurity.com/articl...ed-Groups.html
              Thanks & Regards
              v-2nas

              MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
              Sr. Wintel Eng. (Investment Bank)
              Independent IT Consultant and Architect
              Blog: http://www.exchadtech.blogspot.com

              Show your appreciation for my help by giving reputation points

              Comment


              • #8
                Re: trust relationship in AD 2003

                Thanks a lot for this link http://www.windowsecurity.com/articl...ed-Groups.html i was looking for such info long time ago.

                So using the restricted group i can configure the users who will be member of the local administrator. i have one question:

                I have 100 PC and 100 user. normally every user will be a member of the local admin on his computer only. suppose i added this user to the restricted group, is that means he will have the local admin rights for the total 100 PC?

                If i was right, then this is will not help me. because if that user login to any PC (of the 100 PC) he can modify whatever he need.

                Please correct me if i was wrong.

                Best Regards,

                Comment


                • #9
                  Re: trust relationship in AD 2003

                  Hi,

                  By default normal user account don't have local admin prviledge to the workstation they log on to. If individual user account requires a Admin Privliedge on local workstation and they are restricted to one machine then you would need to use VB or powershell code to make a specific user, member of specific workstation not all.

                  Restricted groups are used to give user, let say Admin access on group of computers.
                  Thanks & Regards
                  v-2nas

                  MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                  Sr. Wintel Eng. (Investment Bank)
                  Independent IT Consultant and Architect
                  Blog: http://www.exchadtech.blogspot.com

                  Show your appreciation for my help by giving reputation points

                  Comment

                  Working...
                  X