Announcement

Collapse
No announcement yet.

Adminster group policies across multiple domains in the same forrest

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Adminster group policies across multiple domains in the same forrest

    Hi all,

    I am hoping this is a relatively simple question.

    Basically my scenario is that I have one forest and the root domain of the forest is jasebert.com. I then have 5 second level child domains names me.jasebert.com, you.jasebert.com etc.

    What I need to do is allow users of say me.jasebert.com to administer group policy in you.jasebert.com. Now this in itself can be easily done, however I can not give the group policy admins Enterprise Admin access.

    So basically can I confirm that I am on the right track.

    I create a Universal Group named say "Delegated gp admins" in the root domain. I then create a Global Group in me.jasebert.com called "GG Delegated gp Admins" and add the users to that group. After that I add this global group to the Universal Group.

    In the you.jasebert.com domain I then create ""GG Delegated gp Admins" and add the "GG Delegated gp Admins" into the GP objects I wish them to administer. I then add this group to the Universal Group also.

    The Domains and Forest functional level is all on W2k3 so Universal groups can be used.

    Does this sound right?

  • #2
    Re: Adminster group policies across multiple domains in the same forrest

    I figured it out.

    Basically all I really need to do is have the one universal group in me.jasebert.com, add the users into that, and then due to it being a universal group, add the relevant access (either by delegating the access via the OU or on the GPO and use the ACL) and that is it.

    Comment

    Working...
    X