Advertisement
Forgive any errors in terminology!<\/p>\n
Alright. We have a domain, and 3 subdomains. My account, of course, is on one of the child domains.<\/p>\n
I need to be able to administer accounts on the other domains, and I would MUCH rather use Users and Computers on my machine rather than logging into a server with RDC.<\/p>\n
Is there anyway to get my account to be a domain admin on all the servers? When I try to add a user to the domain admin group on the parent server, and choose my server to look in, AD will only look at Contacts or Other.<\/p>\n
If that will not work, can I create a user on the parent server and set it to be an admin on all the child servers as well?<\/p>\n
Thanks!!!<\/p>","upvoteCount":4,"answerCount":19,"datePublished":"2011-09-09T08:06:48.000Z","author":{"@type":"Person","name":"Technical-Angel","url":"https://community.spiceworks.com/u/Technical-Angel"},"acceptedAnswer":{"@type":"Answer","text":"
jeremymaritz wrote:<\/p>\n
\nPersonally I’d be a bit worried that there’s no propagation of the Enterprise Admin group down to all the servers in the forest, like something didn’t take when they were dc-promoted…<\/p>\n
…unless they weren’t promoted, in which case I’d do that first.
<\/p>\n
Secondly I would just use the MMC AD Users and Computers plugin on the workstation and use that to connect to each server to adjust rights instead of killing time on RDC.<\/p>\n<\/blockquote>\n
I must have missed a post but from my read it looks like she’s the admin of one of the child domains, and likely in it’s local admin group.<\/p>\n
I think the root issue here is a goofy AD structure to go along with a goofy administrative users policy. If she needs to manage all domains she should be in the parent domain, in the administrative OU and be in a “Admins” group as well.<\/p>\n
At least that’s how I’d do it
Forgive any errors in terminology!<\/p>\n
Alright. We have a domain, and 3 subdomains. My account, of course, is on one of the child domains.<\/p>\n
I need to be able to administer accounts on the other domains, and I would MUCH rather use Users and Computers on my machine rather than logging into a server with RDC.<\/p>\n
Is there anyway to get my account to be a domain admin on all the servers? When I try to add a user to the domain admin group on the parent server, and choose my server to look in, AD will only look at Contacts or Other.<\/p>\n
If that will not work, can I create a user on the parent server and set it to be an admin on all the child servers as well?<\/p>\n
Thanks!!!<\/p>","upvoteCount":4,"datePublished":"2011-09-09T08:06:48.000Z","url":"https://community.spiceworks.com/t/domain-admin-rights-across-domains/101872/1","author":{"@type":"Person","name":"Technical-Angel","url":"https://community.spiceworks.com/u/Technical-Angel"}},{"@type":"Answer","text":"
If you are supposed to have accross the board rights can they just add you to Enterprise admins to keep it simple?<\/p>","upvoteCount":2,"datePublished":"2011-09-09T08:10:52.000Z","url":"https://community.spiceworks.com/t/domain-admin-rights-across-domains/101872/2","author":{"@type":"Person","name":"justin.davison","url":"https://community.spiceworks.com/u/justin.davison"}},{"@type":"Answer","text":"
I tried that also. There is not an Enterprise admins group on my server, and I have the same problem adding my account on the Enterprise admins group on the parent server as I do on the domain admins group.<\/p>","upvoteCount":0,"datePublished":"2011-09-09T08:18:22.000Z","url":"https://community.spiceworks.com/t/domain-admin-rights-across-domains/101872/3","author":{"@type":"Person","name":"Technical-Angel","url":"https://community.spiceworks.com/u/Technical-Angel"}},{"@type":"Answer","text":"
If you are only an admin of one of the child domains you will not be able to elevate your rights. You will need an admin from the parent domain to do that or one of the admins from the other child domains to add your account to their admin groups on the servers you want to access assuming that there is a trust between the child domains.<\/p>","upvoteCount":2,"datePublished":"2011-09-09T08:32:15.000Z","url":"https://community.spiceworks.com/t/domain-admin-rights-across-domains/101872/4","author":{"@type":"Person","name":"jbland","url":"https://community.spiceworks.com/u/jbland"}},{"@type":"Answer","text":"
I have been trying to change my rights while logged into the domain admin account on the parent server.<\/p>","upvoteCount":0,"datePublished":"2011-09-09T08:41:31.000Z","url":"https://community.spiceworks.com/t/domain-admin-rights-across-domains/101872/5","author":{"@type":"Person","name":"Technical-Angel","url":"https://community.spiceworks.com/u/Technical-Angel"}},{"@type":"Answer","text":"
Is the issue that you have credentials on the other domains, but you would rather just run Active Directory Users and Computers locally on your workstation under your account in a child domain?<\/p>\n
If so, you can use RunAs with the MMC console<\/p>\n
runas /user:PARENTDOMAIN\\USER “mmc %windir%\\system32\\dsa.msc”<\/p>","upvoteCount":0,"datePublished":"2011-09-09T08:42:33.000Z","url":"https://community.spiceworks.com/t/domain-admin-rights-across-domains/101872/6","author":{"@type":"Person","name":"danieleaton1795","url":"https://community.spiceworks.com/u/danieleaton1795"}},{"@type":"Answer","text":"
+1 for what Birda said. You cannot just add yourself as an admin to the other domains, you need someone who already has the elevated privs to add you. We ran into that a LOT at IBM when administering client’s accounts. Gaining access was the hardest part of support on some of those accounts. Hopefully someone knows the credentials for the Ent Admin account and can add you. otherwise you will need to get someone who is an Admin on the other two accounts to add you and hope one of them has access to the root (parent) domain.<\/p>","upvoteCount":1,"datePublished":"2011-09-09T08:42:49.000Z","url":"https://community.spiceworks.com/t/domain-admin-rights-across-domains/101872/7","author":{"@type":"Person","name":"scott696d","url":"https://community.spiceworks.com/u/scott696d"}},{"@type":"Answer","text":"
Check your forest (above the domain) for the Enterprise Account.<\/p>","upvoteCount":0,"datePublished":"2011-09-09T08:52:47.000Z","url":"https://community.spiceworks.com/t/domain-admin-rights-across-domains/101872/8","author":{"@type":"Person","name":"johnhammond2027","url":"https://community.spiceworks.com/u/johnhammond2027"}},{"@type":"Answer","text":"
I have the admin password (yes, one password, not happy) for all the domain admin accounts. I have been using the domain admin account to try to change my rights, but I might not be doing something correctly.<\/p>\n
Daniel, pretty much. I have the administrator password for all the domains. I have been using RDC and logging into the exchange server on each domain as the administrator for that domain to change passwords. (I forgot, while pushing for everyone to change their passwords, including those using password as a password, that those just using webmail, a great part of our users, have no way to change the password themselves… they can just call me… sigh.)<\/p>\n
And, thanks. I think that’s probably what I’ll do. If I run it as the parent server’s admin account, I should be able to open multiple instances, and pull up each server, rather than changing the domain as needed, since it’s SLOW!!!<\/p>","upvoteCount":0,"datePublished":"2011-09-09T08:53:35.000Z","url":"https://community.spiceworks.com/t/domain-admin-rights-across-domains/101872/9","author":{"@type":"Person","name":"Technical-Angel","url":"https://community.spiceworks.com/u/Technical-Angel"}},{"@type":"Answer","text":"
What version of Exchange do you have?<\/p>\n
You can setup Exchange to allow users to reset their passwords via OWA.<\/p>\n
Exchange 2003<\/p>\n