Search This Blog

Wednesday, January 16, 2013

Add external users to Domain Admins (External Trust)

Recently had to setup a one way external trust between 2 separate domains (not in same forest).

To start with I had to establish dns resolution between the 2 environments, now you can either setup forwarding or setup secondary zones. In my case I decided secondary zones was the way I wanted to go. This enabled me to then setup the outgoing and incoming trusts in each of the domains.

Then I wanted to allow a user in the external trusted domain to be a domain admin, however I soon encountered a problem. There are a raft of rules about what security objects can be assigned to what groups, and to summarise the Domain Admins group is a global security group and as such does not allow for external resources to be assigned to it, there is no way round this using universal groups or domain local groups.

I was banging my head against a wall when I discovered this article, which proposes an elegant solution using domain local groups and group policy objects. In essence we are taking the remote users, adding them to groups and then applying a gpo to add these groups to the builtin/administrator groups.

The full article is here.

http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login


Share/Bookmark

3 comments:

  1. Thank you for putting an effort to published this article. You've done a great job! Good bless!

    Caren
    www.gofastek.com

    ReplyDelete
  2. Thank you for putting an effort to published this article. You've done a great job! Good bless!

    Caren
    www.gofastek.com

    ReplyDelete
  3. I simply want to say I am new to weblog and truly savored you’re website. More than likely I’m want to bookmark your blog . You actually have excellent writings. Thanks a bunch for sharing your web site.

    Jorcel
    www.imarksweb.org

    ReplyDelete