How can Parent Domain User access Child Domain Resource?

Home Forums Microsoft Networking and Management Services Active Directory How can Parent Domain User access Child Domain Resource?

This topic contains 17 replies, has 5 voices, and was last updated by  Ossian 1 week, 6 days ago.

Viewing 18 posts - 1 through 18 (of 18 total)
  • Author
    Posts

  • oudmaster2
    Participant
    #608886

     

    Hi,

     

    I have Parent Domain and Child Domain in my testing environment.

    from Parent Domain, when I use parent\administrator account, I can access the Child DC server admin$

    But I cannot access machines admin$ in the Child Domain other than DC server.

    it asks me to insert credential, and it does not accept parent\administrator

     

    in the Parent Domain, I have already added both Parent and Child administrator accounts in the Enterprise Admins group, and this Enterprise Admins is member of the Child Administrators group.

     

    how can I solve this access issue?

     


    wullieb1
    Moderator
    #608908

    I’m not sure i quite understand what you’re trying to achieve here.

    Is the PARENT\Administrator account a member of the Domain Admins group in the child domain?


    oudmaster2
    Participant
    #608918

     

    Domain Admins group in the child domain is Global Type, I cannot add PARENT\Administrator directly there.

     

    but in the Administrators Group (Built-in Domain Local Type)  of Child domain, I have added PARENT\Administrator there.

     

    Still did not solve the issue,

     

    What I want to specifically achieve here is to make PARENT\Administrator and admin on all machines in the Child Domain(s), currently it is accepted as admin only on DCs machines.

     

     


    Ossian
    Moderator
    #608921

    Can you confirm that CHILD is a subdomain of PARENT (i.e. the FQDN is child.parent.com)?

    Try adding the user to Enterprise Administrators in Parent as this should automatically make them domain admins in Child – not a long term solution, but allows you to check the automatic trusts are working.


    vickynet
    Participant
    #608960

    off course you can’t access the child domain resources because your are members of enterprise admin group, it has only access for all domain controller and child domain in forest wide but for resource you should have domain admin or GPO has to be enable for this resource access.

     

    Thanks,

    vicky.


    oudmaster2
    Participant
    #608967

     

    Hi vicky

     

    Thank you for your input, seems Enterprise Admin as you said it affects only DCs in the Forest.

     

    so the question now, how to make Parent\Administrator account act as admin for the whole Forest?

     

    I thought by adding it into Child Administrators group should be enough!!


    wullieb1
    Moderator
    #608973

    You need to dd it to the Domain Admins group.


    oudmaster2
    Participant
    #608974

    Domain Admins group in the child domain is Global Type, I cannot add PARENT\Administrator directly there.

    • This reply was modified 3 weeks, 1 day ago by  oudmaster2.

    wullieb1
    Moderator
    #609015

    Create a universal group and add the parent\administrator account to that then add the universal group to the Domain Admins group.


    danielp
    Participant
    #609301

    It may be useful to get back to the basics and read about various AD-based groups and how they interact with each other.


    wullieb1
    Moderator
    #609342

    I assume that this is directed at me??


    Ossian
    Moderator
    #609347

    Since danielp is “our” Daniel Petri, I assume it was directed at oudmaster.

    Welcome back, Daniel – we’ve missed you – and how come your aren’t at least a moderator?


    danielp
    Participant
    #609352

    Strangest thing. You know how things are. Maybe you can tell whoever manages this to restore my status…

    BTW, is there no way to send PMs now?


    Ossian
    Moderator
    #609379

    It seems not…


    wullieb1
    Moderator
    #609390

    @ossian – yeah i gathered that. Been around a while now ;)

    @danielp – Welcome back. All back to full fitness now? I believe we can’t quote in these forums either, and i don’t have mod rights either now. Maybe they got rid of the dead wood during the migration :P


    danielp
    Participant
    #609733

    wullieb1 – so we’re dead wood now?


    wullieb1
    Moderator
    #609897

    @danielp i hope not :)


    Ossian
    Moderator
    #609943

    Daniel & Willie,

    There is a request in the mod forum for both of you to have moderator rights again – not sure what is happening to it?

Viewing 18 posts - 1 through 18 (of 18 total)

You must be logged in to reply to this topic.