Linux – Include AD domain admins group in Linux sudoers

You can place the users from the "parent" domain into a global group in the parent domain, then nest that global group into the "Administrators" domain local group in the "child" domain. That will give you the functionality you're looking for (assuming a stock set of AD permissions on the child domain). "Administrators" gets named with the same rights as "Domain Admins" in all the permissions on the AD.

As far as permissions on shares and such that you've created-- that's your problem. >smile<

Edit:

The "BUILTIN\Administrators" group in the child domain does have the same rights to Active Directory as the "Domain Admins" group in the Active Directory. You're not talking about rights to Active Directory in your comment-- you're talking about a default group nesting that gets performed on the Local Users and Groups on member computers. The kind of thing you commented on is what I mean when I said "that's your problem". It's an easy one to fix, too.

This is a job for "Restricted Groups" policy!

So, let's say that you want to modify the behaviour of the local "Administrators" group nesting domain-wide in the child domain.

• Create and link a GPO at the root of the child domain (actually, link it to a sub-OU with a test computer in it first, then when you know it's working, link it to the root of the domain).
• In that GPO, open "Computer Settings", then "Windows Settings", "Security Settings", and "Restricted Groups".
• Right-click "Restricted Groups" and do an "Add Group".
• Click "Browse" in the "Add Group" dialog, key in "Administrators" (not "Domain Admins" or anything else), and click "Check Name" and "OK". Click "OK" to dismiss the "Add Group" dialog.
• In the "Administrators Properties" dialog, click the "Add" button at the top, beside the "Members of this Group" list-box.
• Click "Browse" in the "Add Member" dialog and key in "Domain Admins" and click "Check Name" and "OK". In the "Add Member" dialog, you'll see "CHILDDOMAINNETBIOSNAME\Domain Admins" listed. Click "OK".
• In the "Administrators Properties" dialog, click the "Add" button at the top, beside the "Members of this Group" list-box again.
• Click "Browse" in the "Add Member" dialog and key in the name of the global group in the parent domain that you created to hold users who are getting "Administrator" rights in the child domain. Before you click "Check Name", click "Locations" and choose your parent domain in the "Locations" dialog and click "OK". Then click "Check Name" and "OK". In the "Add Member" dialog, you'll see "PARENTDOMAINNETBIOSNAME\Group name you created" listed. Click "OK".

When this GPO applies to computers, their local "Administrators" group will get the groups "CHILDDOMAINNETBIOSNAME\Domain Admins" and "PARENTDOMAINNETBIOSNAME\Group name you created" nested into it automatically.

You can use Group Policy Preferences to update the Built-in\Administrators groups on the local computers with whatever domain accounts\groups that you'd like. This will not replace existing groups\users unless you explicitly check the option to remove all other group members.

Restricted Groups is the old-school way to do it. GPP is the new, more flexible way.