Guest PMC1 Posted April 29, 2009 Posted April 29, 2009 Hi, I'm want to allow an admin from an external domain access my active directory so they can add a Global Security group from this domain (DomainA) to the access control list of a share on the external domain (DomainB). I want the admin in the external domain to only have Read Access to this domain so giving the external Admin the password to an administrator account on this domain is not going to work. So my question is when creating a user ID for the external admin to use, what rights should I grant him to allow him read access to this domain such that he can pull down groups from DomainA to be added to ACL's on DomainB Configuration: Both domains are in completely seperate Windows 2003 Forests There is a 1 way non transitive external trust from DomainA to DomainB (i.e. the external domain trusts this domain but not the other way round) Thanks in advance for any advise Paul Quote
Guest Mathieu CHATEAU Posted April 30, 2009 Posted April 30, 2009 Hello, put the groups you want to delegate in an OU, and give him the rights to manage these groups through dsa.msc. Of course, domain admins group & others mustn't be in this OU (they are in OU Users by default) Cordialement, Mathieu CHATEAU french blog: http://www.lotp.fr english blog: http://lordoftheping.blogspot.com PMC1 a écrit :<span style="color:blue"> > Hi, > > I'm want to allow an admin from an external domain access my active > directory so they can add a Global Security group from this domain > (DomainA) to the access control list of a share on the external domain > (DomainB). I want the admin in the external domain to only have Read > Access to this domain so giving the external Admin the password to an > administrator account on this domain is not going to work. So my > question is when creating a user ID for the external admin to use, > what rights should I grant him to allow him read access to this domain > such that he can pull down groups from DomainA to be added to ACL's on > DomainB > > Configuration: > Both domains are in completely seperate Windows 2003 Forests > There is a 1 way non transitive external trust from DomainA to DomainB > (i.e. the external domain trusts this domain but not the other way > round) > > Thanks in advance for any advise > > Paul</span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.