Re: Cross Domain privialges for Domain Admins

Giganews Newsgroups
Subject: Re: Cross Domain privialges for Domain Admins
Posted by:  Ace Fekay [Microsoft Certified Trainer] (acem…@mvps.RemoveThisPart.org)
Date: Thu, 11 Jun 2009

"blankmonkey" <blankmonk…@discussions.microsoft.com> wrote in message
news:5E50FE94-78F8-4EC6-A84A-A23F16BD7D…@microsoft.com...
> 2008 native Domain setup (no 2003 or older)
>
>                            /----Domain-Child1 (Users)
> Domain-Parent---
>                            \----Domain-Child2 (Servers,applications,
> services)
>
> I have complete control over all the domains.
> It has been decided via Policy that all users will reside in Domain-Child1
> What trusts need to be set up, groups setup, members added, etc.  so that
> I
> can use 1 user account, and be a Domain Admin in BOTH Domain-Child1 and
> Domain-Child2?
>
> Remember, POLICY says user MUST reside in Domain-Child1, and I may not be
> and enterprise admin.

I agree as well with Paul and Meinolf. Why bother with the child domains? I
don;t know your company's full business requirements or adminstrative
breakdown, but single domains work fine in 99% of the time. Otherwise, it
will complicate matters and introduce additional costs and administration
overhead, as well as complicate the DNS resolving infrastructure to support
it. As said, the security boundary is the forest, therefore, you can control
access by administrators by using OU delegation to specific locations or
departments meanwhile you having carte blanche on the forest.

Remember, use the KISS method. The more complicated it gets, especially if
not needing it to be, can introduce security issues as well. I've seen
global networks with 1000's of users all in one domain with no problems.
I've also seen global networks with multiple child domains with
complications that could have been avoided if it were one domain.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
acem…@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
checkhttp://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Replies

In response to

Cross Domain privialges for Domain Admins posted by blankmonkey on Wed, 10 Jun 2009