We have setup a child domain and would like to grant users from the Parent Domain the same rights on the child domain that members of the Domain Admins group are granted.
So, our setup looks like this:
parent.mycompany.com: Primary domain where all Users exist
child.mycompany.com: Child domain used for development
I know that we can not add users from the parent domain to the Domain Admins group in the child domain becuase it is a Global group that can no be changed. Is there a way for me to create a Domain Local or Universal group in the child domain and then grant that group the same rights as the Domain Admins group?
Or any other way that would let me grant a user from the parent domain those rights on the child domain?
Note: All domain controllers are running WS2008 with domain elevated to WS2008 functional level.
Thanks,
jon
Best Answer
You can place the users from the "parent" domain into a global group in the parent domain, then nest that global group into the "Administrators" domain local group in the "child" domain. That will give you the functionality you're looking for (assuming a stock set of AD permissions on the child domain). "Administrators" gets named with the same rights as "Domain Admins" in all the permissions on the AD.
As far as permissions on shares and such that you've created-- that's your problem. >smile<
Edit:
The "BUILTIN\Administrators" group in the child domain does have the same rights to Active Directory as the "Domain Admins" group in the Active Directory. You're not talking about rights to Active Directory in your comment-- you're talking about a default group nesting that gets performed on the Local Users and Groups on member computers. The kind of thing you commented on is what I mean when I said "that's your problem". It's an easy one to fix, too.
This is a job for "Restricted Groups" policy!
So, let's say that you want to modify the behaviour of the local "Administrators" group nesting domain-wide in the child domain.
When this GPO applies to computers, their local "Administrators" group will get the groups "CHILDDOMAINNETBIOSNAME\Domain Admins" and "PARENTDOMAINNETBIOSNAME\Group name you created" nested into it automatically.