none
Active Directory Trusts and Remote Domain Administration RRS feed

  • Question

  • I've done a lot of searching and have come up blank. A lot of people have asked similar questions but the answers don't really help in my situation. I have a number of customer domains that I would like my support staff to be able to support without having to create separate user accounts in every domain. The domain trusts are easy and setup with no difficulty. The problem obviously comes when trying to grant administrative permissions in the trusting domains to our central accounts.

    As any google search will show you, you can't add foreign security principals to Global AD groups. Regardless of what terminology you want to use for this, from everything I've found you just flat-out don't get to take advantage of the built-in Domain Admins group when you want to grant a trusted domain those kinds of permissions. Instead, you have to use something like the AGDLP method discussed here (http://blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy/). Well, if you were just one company with one trusting domain then you 'may' be able to accomplish this manually faster than writing this post. However, if you're a service provider, with many customer domains, this becomes a totally different prospect. Manually assigning 20+ different local and domain-wide baked-in permissions and group memberships for dozens of domains will take a very long time to accomplish, not to mention require all those same steps every time a new customer is on-boarded.

    It's very frustrating to have full connectivity and trust relationships between us and our customers setup with no sweat at all, but then to be totally hampered by the restrictions of nested groups as they relate to foreign security principals. We can certainly execute powershell scripts on all of our customer domain controllers, but that in and of itself still doesn't address all the local server and workstation permissions needed for us to do our job. If I have full administrative permissions of all these domains, is it really true that there's just no simple way to centrally provide administrative permissions to all of them? I'm assuming this limitation must be related to a security concern, however it seems like a pretty big security problem when I've got to manage dozens of different user accounts for each administrator, which means to do effectively remotely via script I have to pass credentials through our RMM tool and can't be certain it's going to be encrypted all the way through the process and/or have to worry about locally stored copies of scripts containing clear text passwords, etc.

    Maybe I'm just totally missing something, but if so then I would have thought my searches would have showed a pretty easy solution to this problem. Any help is greatly appreciated.

    Monday, June 6, 2016 1:00 AM