1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Adding a group to access control list in another Domain

Discussion in 'Windows Security' started by PMC1, Apr 29, 2009.

  1. PMC1

    PMC1 Guest

    Hi,

    I'm want to allow an admin from an external domain access my active
    directory so they can add a Global Security group from this domain
    (DomainA) to the access control list of a share on the external domain
    (DomainB). I want the admin in the external domain to only have Read
    Access to this domain so giving the external Admin the password to an
    administrator account on this domain is not going to work. So my
    question is when creating a user ID for the external admin to use,
    what rights should I grant him to allow him read access to this domain
    such that he can pull down groups from DomainA to be added to ACL's on
    DomainB

    Configuration:
    Both domains are in completely seperate Windows 2003 Forests
    There is a 1 way non transitive external trust from DomainA to DomainB
    (i.e. the external domain trusts this domain but not the other way
    round)

    Thanks in advance for any advise

    Paul
     
    PMC1, Apr 29, 2009
    #1
  3. Mathieu CHATEAU

    Mathieu CHATEAU Guest

    Hello,

    put the groups you want to delegate in an OU, and give him the rights to
    manage these groups through dsa.msc.

    Of course, domain admins group & others mustn't be in this OU (they are
    in OU Users by default)

    Cordialement,
    Mathieu CHATEAU
    french blog:
    english blog:


    PMC1 a écrit :<!--coloro:blue--><span style="color:blue <!--/coloro-->
    > Hi,
    >
    > I'm want to allow an admin from an external domain access my active
    > directory so they can add a Global Security group from this domain
    > (DomainA) to the access control list of a share on the external domain
    > (DomainB). I want the admin in the external domain to only have Read
    > Access to this domain so giving the external Admin the password to an
    > administrator account on this domain is not going to work. So my
    > question is when creating a user ID for the external admin to use,
    > what rights should I grant him to allow him read access to this domain
    > such that he can pull down groups from DomainA to be added to ACL's on
    > DomainB
    >
    > Configuration:
    > Both domains are in completely seperate Windows 2003 Forests
    > There is a 1 way non transitive external trust from DomainA to DomainB
    > (i.e. the external domain trusts this domain but not the other way
    > round)
    >
    > Thanks in advance for any advise
    >
    > Paul<!--colorc--><!--/colorc-->
     
    Mathieu CHATEAU, Apr 30, 2009
    #2

Share This Page