Adding Child Domain Admin

stefankellner · 2016-07-22T05:40:43.000Z

Hi Spiceworkers,
im a litle frustrated, that i cant do this by myself and hope that you guys can help me.

What i want:
Parent Domain User is local- or Domainadmin in the Child Domain

What i have:
Parenting Domain and Childdomain;
User of Parent Domain can log in at the Child Domain, but if i try to add one of them as an Localadmin for example, i didn´t find them, becouse he is allways looking in the ChildDomain AD and i cant change that to the ParentDomain.

semicolon · 2016-07-22T05:47:58.000Z

When browsimg for the user, do one of two things:

Type in DOMAIN\username, then click Check Name, and OK. Where DOMAIN is the parent domains NetBios name.

OR -
Click the location button and choose either “Entire Directory” or the parent domain, then ttpe in the username and click check name.

stefankellner · 2016-07-22T07:52:29.000Z

So my Problem is, that i cant see the Parent Domain when im Browsing in the Child Domain.
If i Went to the Parent Domain AD and edit the Properties of an Usergroup there, i can add it to the Administrator Group in the Chld Domain, but after closing the Propertie Window and Re open it, the Membership settings are gone.

big-green-man · 2016-07-22T10:54:59.000Z

I didn’t know children could be domain admins.

Ba dum tsss.

semicolon · 2016-07-22T11:43:00.000Z

Sorry, totally forgot the restrictions of the Domain Admins group type. Domain Admins is a Global Group, as such, it can only contain security principals from its own domain. So you are unable to add users from other domains into this group.

If your end goal is to add this user to CHILD\Domain Admins so that it has administrative access to all machines in the child domain, I would instead recommend one of the following:

Configure a GPO that inserts the PARENT\Domain Admins into the local administrators group of the computers in the CHILD domain
Add the PARENT\Domain Admins group to the PARENT\Enterprise Admins group
Add the PARENT\Domain Admins group to the CHILD\Administrators group (this effectively accomplishes the same thing as adding it to the PARENT\Enterprise Admins group
Create a new administrative account in the CHILD domain for this purpose.

I should note, that my preference would be the last option, or an unlisted option which involves creating new groups (Domain Local) in the child domain which - when combined with a GPO - confer the appropriate local administrative access on domain members.

Bigsteff:

If i Went to the Parent Domain AD and edit the Properties of an Usergroup there, i can add it to the Administrator Group in the Chld Domain, but after closing the Propertie Window and Re open it, the Membership settings are gone.

I do not fully understand what it is you’re saying here. Are you saying that you add a user to a group, apply it, and then when re-opening it, its gone?