locked
How to administrator ad user accounts from another forest? RRS feed

  • Question

  • Hello Community

        In a Windows Server 2008 (Server1), there is One-way trust relationship where
    this Server1 is the trusting server that is allowing user from a different domain
    to access its resources.

        The question is now that the users from the other domain have been added as users in
    Server1's domain, as the admin of Server1 what if I want to disable one of those users account
    or something like that. 

        As I am only admin in Server1 domain am I able to disable a user account or modify any of
    the users privileges from this domain (especially when those users have been brought in a group)
    or do I have to also be an admin in the other domain where the users came from to administrator
    their user accounts?

        Thank you
        Shabeaut

    Tuesday, February 25, 2014 8:47 PM

Answers

  • You need the objects to be in that forest in order to manage or assign privileges, otherwise they are just references or pointers to objects in the other forest. If you want to migrate users from forest A to forest B you need ADMT or some 3rd party tool. 

    http://mariusene.wordpress.com/

    • Marked as answer by Shabeaut Wednesday, February 26, 2014 2:03 PM
    Wednesday, February 26, 2014 5:03 AM
  • Hi,

    As Marius has already implied the objects are not in your forest so you can't move them around in your forest. You can add and remove them from your forests groups, but that's pretty much it. Otherwise you have to have admin rights in the other forest.

    Thanks

    Denis


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    Blog: http://www.windows-support.co.uk  Twitter:   LinkedIn:

    • Marked as answer by Shabeaut Wednesday, February 26, 2014 2:02 PM
    Wednesday, February 26, 2014 7:27 AM

All replies

  • Unless you have any administrative rights in the other domain you can't manage those users accounts, all you can do is remove them from security groups / permissions on your server, but you can't disable those accounts. 

    <p style="font-family:Arial">Regards,</p> <p style="font-family:Arial">Denis Cooper </p> <p style="font-family:Arial">MCITP EA - MCT</p> <p><font size="1">Help keep the forums tidy, if this has helped please mark it as an answer</font></p> <p><a href="http://www.windows-support.co.uk">My Blog</a></p> <b>LinkedIn:</b> <a href="http://lnkd.in/Xna_7C" target="_blank"><img src="http://goo.gl/FPvEb" border="0"></a>

    Tuesday, February 25, 2014 9:00 PM
  • Hello Denis Cooper

        Is it possible to move those trusted users to other groups or
    OU's in this forest and then assigning them privileges in this forest or
    moving them out of groups as individual users in this forest and
    assigning them different privileges in this forest?

        Thank you
        Shabeaut

    Wednesday, February 26, 2014 1:42 AM
  • You need the objects to be in that forest in order to manage or assign privileges, otherwise they are just references or pointers to objects in the other forest. If you want to migrate users from forest A to forest B you need ADMT or some 3rd party tool. 

    http://mariusene.wordpress.com/

    • Marked as answer by Shabeaut Wednesday, February 26, 2014 2:03 PM
    Wednesday, February 26, 2014 5:03 AM
  • Hi,

    As Marius has already implied the objects are not in your forest so you can't move them around in your forest. You can add and remove them from your forests groups, but that's pretty much it. Otherwise you have to have admin rights in the other forest.

    Thanks

    Denis


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    Blog: http://www.windows-support.co.uk  Twitter:   LinkedIn:

    • Marked as answer by Shabeaut Wednesday, February 26, 2014 2:02 PM
    Wednesday, February 26, 2014 7:27 AM