none
Group nesting

    Question

  • Hi all. i am in the need of some guidance with a requirement.

    We have  1 Root domain in Windows 2012 and 5 child domain with Windows 2008 R2 and Windows 2012.

    I need to make the Domain Admins in the root domain, be able to belong or be members to log in and administer the DC in child sites, and due security requirements it was set to me do it only using group nesting.

    So how do i make a domain admin account from Root A to be in the rest of the groups of child domains?

    i have read many many things but is not much clear for the requirement.

    I tried using Universal group member of Domain admin in root domain and in the childs using local domain groups and local, but not able to make users loging in servers from the child domain using the accounts from root domain.

    Thanks.


    DR.M3rL4

    Friday, February 10, 2017 4:55 PM

Answers

  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by nachio Sunday, February 19, 2017 10:54 PM
    Friday, February 17, 2017 9:13 AM
    Moderator

All replies

  • Hi

     You have two option;

    - You can add these admins to "Enterprise admins" group,but that's mean they will become an enterpise admin across the forest.So they will have unlimited permissions.

    - You can create a "Univsersal group" then add users to this group,then configure delegate permissions for this group.(add&remove users,computers,reset passwords,etc..)

    Also check this article to understand "Using Group Nesting Strategy – AD Best Practices for Group Strategy"

    http://blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Friday, February 10, 2017 6:16 PM
  • Cool, thanks. so there is option for group nesting?

    DR.M3rL4

    Friday, February 10, 2017 6:25 PM
  • Burak,

    Do we need to delegate permission to newly create universal group on each of the domain ?

    Saturday, February 11, 2017 6:08 AM
  • Burak,

    Do we need to delegate permission to newly create universal group on each of the domain ?

    Hi

     Yes,you should configure related delegate permissions on each domain for this specific universal group.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Saturday, February 11, 2017 8:52 PM
  • Cool, thanks. so there is option for group nesting?

    DR.M3rL4

    Like that;

    - You can create a "Univsersal group" then add users to this group,then configure delegate permissions for this group.(add&remove users,computers,reset passwords,etc..)


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Saturday, February 11, 2017 8:53 PM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by nachio Sunday, February 19, 2017 10:54 PM
    Friday, February 17, 2017 9:13 AM
    Moderator
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Hi Nachio

    Do you think already mark the correct answer??? :-)


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, February 20, 2017 8:27 AM