Hello, Maybe I am missing the best way to make Domain Admins in one domain Domain admins in another. We have two domains in a forest, Cars and Trucks. I have added a universal group containing the Cars Domain Admins to the Administrators group in Trucks. A cars Domain Admin can create and delete a new GPO in Trucks but they cannot edit the Default Domain Policy. Does anyone know why this is occurring? Thanks!

Hi, Ensure that you add the cars Domain Admins to the Trucks Domain Admins group. By default, only domain administrators, enterprise administrators, and members of Group Policy creator owners group can create and edit the default Domain Policy. Reference: Updating the Default Domain Policy GPO and the Default Domain Controllers Policy GPO http://technet.microsoft.com/en-us/library/dd378987(WS.10).aspx Best Regards DalePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Dale, I don't see how this is possible since Global Groups can only include either users or other Global Groups from the same domain. http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx I thought adding a universal group containing the Cars Domain Admins to the Administrators group in Trucks would accomplish the same. I'd appreciate your advice. Robert

Hi Dale, I don't see how this is possible since Global Groups can only include either users or other Global Groups from the same domain. http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx I thought adding a universal group containing the Cars Domain Admins to the Administrators group in Trucks would accomplish the same. I'd appreciate your advice. Robert Typically you would simply use an Enterprise Admin account to manage both domains. This is the hierarchy established for quite a long time. Obviously you would follow best practices. As far as a tiered delegation of permissions, for a structure like this. Each item takes precidence over the lower tier. Forest > Child Domains > Branch offices Enterprise Admins > Domain Admins > Delegated OU Admins (2008+ Specific: Domain users, with delegated permission to add/remove/edit/etc AD objects in that OU) Your best practice step in this scenario is to use the primary domain admin account provided. The default domain Adm. account is also an Enteprise Admin by default. So it will work to make changes through both domains. What is your IT Structure like, do you have more than 1-2 admins? Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Product Specialist Microsoft Certified Network Product Specialist Red Hat Certified System Administrator This posting is "as is" without warranties and confers no rights.

Further note on my previous post, if you're the only admin. Best practice is that you create yourself a standard domain user account and use your admin account as needed for administrative functions. If the scenario is that you have more than one admin, You create two duplicate administrator accounts. Renamed for identity purposes and auditing. Upon creation of a second admin account, you should log the time it was created and which of the two administrators are using which account. So if you need to go back in time to audit who changed something or who added, deleted... etc... for anything. You can look at your time logs, see... ok that was admin account ____ and JOE SCHMOE is assigned that account during that time. These admin accounts should also have different passwords... etc.. there's a huge mess I could go into for this but I think you get the idea. If you're the only admin or you're delegating permissions for a multi-domain admin. Just provide the Enterprise Admins group. Here's a securing AD technet page for you so you can take your own practical approach to hardening your infrastructure. http://technet.microsoft.com/en-us/library/cc700835.aspx Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Product Specialist Microsoft Certified Network Product Specialist Red Hat Certified System Administrator This posting is "as is" without warranties and confers no rights.

Was the question how to secure AD? Or how to access a GPO? Thanks for all the irrelevant information that shows how informed you are. And just to head off the usual posters: 1. RTFM 2. Google it dude 3. Mine works great! 4. Trying doing all the stuff you just said you did and it should work You guys just like to talk.