General discussion

Locked

Administrator Group in Forest

By jlbpotter ·
I have a Windows 2000 native mode domain with 4 domains in one forest. These are not child domains. They are all separate trees within the same forest. I am an Enterprise admin at the root of the forest. I have a program that I use (Dameware), that allows me to connect remotely to all of my PCs. The only problem is that you need logon locally rights to the PC to do this. I don't have a problem on my domain because I am a member of the Domain Admins group. It just doesn't work on the other Domains. Windows 2000 AD will not allow me to add users from other domains to the builtin Domain Admins group so I can't just add a group or user to the remote Domain Admins group. Can anyone tell me how to accomplish this. Delegating control of the domain doesn't work because it doesn't give Logon Locally rights. I need something that will give Logon Locally rights to all PCs in a domain to a group in a different domain but in the same Forest. Thanks in advance.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Administrator Group in Fo ...

The Domain Admins group can only contain members of the local domain. So to resolve that issue, do the following:

Make sure that for each domain that domain administrators is a member of the administrators group.

Add the Dameware Service accout to each of the Administrators groups in each domain.

Most AD designs these days are peer-root domain forests for security separation between the domains; although, the true boundary for security in an AD forest is the forest.

Collapse -

by BFilmFan In reply to

True CG, a universal security group would work, but there seems to be an amazing level or paranoia in getting those implemented in corporation environments. I think they are afraid that someone will assign rights directly to the group and instead of making it a member of another domain group which does have rights.

Collapse -

by jlbpotter In reply to

Poster rated this answer.

Collapse -

by CG IT In reply to Administrator Group in Fo ...

Universal security group.

Collapse -

by jlbpotter In reply to Administrator Group in Fo ...

Let me modify the question. I can add groups into the Builtin Administrators group on the domain but it doesn't help me with the client PCs. I need something that will have local admin rights on each PC. I can use the local Domain Admins group and it will let me connect, but I don't want to use that account. I want to use my account from a different domain (same forest) and connect. So I need some way to put an account in a group that will have local admin rights on all the PCs similar to the Domain Admins group. Thanks again.

Collapse -

by wdeklerk In reply to Administrator Group in Fo ...

To avoid creating security loop holes,
I setup the old http TSWEB application ((installed with IIS))(found on the adv server CD) on systems across domains. Works perfectly. Much safer than dameware, and very fast. I setup one on each of the domains, then I log onto the (web)site where it is located and from there I can access any pc on that domain

Collapse -

by sojournist In reply to Administrator Group in Fo ...

Domain Admins is a Global Group. You cannot add users or groups from another domain to Global Group.

To give your account, or your domain's Domain Admins group, full administrative privileges in the target domain, add the user or global group to the Administrators group in the target domain. The Administrators group is a built-in Domain Local group found in the Builtin organizational unit.

-s

Collapse -

by jlbpotter In reply to Administrator Group in Fo ...

This question was closed by the author

Back to Windows Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums