|
Posted by GPObmp on August 18, 2006, 6:01 am
Please log in for more thread options Unfortunately i would have to agree with you, it looks like this is my
only solution. (Or just permission each GPO to the Forest A Admins
group upon creation)
Thanks for your input anyway.
Roger Abell [MVP] wrote:
> Your analysis of the rules for group nesting are mostly correct.
> It is possible to change the default security descriptor for AD objects,
> such as GPOs, in order to impact the security set on newly defined
> GPOs. However, you would need to make further changes so that
> all aspects of GPO editing could be accomplished (like permissions
> on policy objects in SysVol, on adm templates used for editing, etc.)
> and you would need to revisit all existing GPOs.
> I am also concerned in that you are not using a W2k3 forest-level
> trust (i.e. Kerberos enabled) and so the cross-forest authentication
> would be NTLM based.
> In short, your simple solution would be to provision accounts in the
> trusting forest that are Domain Admins there.
>
> >I have 2 forests, Forest A and Forest B.
> >
> > There is a one way non transitive trust going from Forest B to Forest A
> > so in summary, Forest B trusts Forest A.
> >
> > I have a group in Forest A called "Forest A Admins"
> > This group is a member of the BUILTIN\Administrators group in Forest B.
> > Unfortunately this membership does not give my "Forest A Admins" group
> > enough rights in Forest B.
> >
> > I need the members of "Forest A Admins" to edit all GPOs in Forest B.
> >
> > I know I can manually go in and edit the delegation of each GPO in
> > Forest B however I want this group to have explicit rights over all
> > GPOs in Forest B no matter who created them.
> >
> > As far as I know there is only one group which has this access, this is
> > the "Domain Admins" group from Forest B.
> >
> > Unfortunately as my "Forest A Admins" group is a Universal (to become a
> > member of BUILTIN\Administrators) it cannot be added to the "Domain
> > Admins" group in Forest B as it is a Global group.
> >
> > As far as I know, I am officially stuck and there is no way around, I
> > have tried every membership under the sun to get my "Forest A Admins"
> > into the Forest B "Domain Admins" but it is impossible.
> >
> > So far, this is what I have gathered.
> >
> > The only group in Forest A which can get membership in a group in
> > Forest B is a Universal Group.
> >
> > The only group a Forest A universal group can be a member of in Forest
> > B is a Local Group.
> >
> > In Forest B, a Local Group can only be a member of another Local group
> >
> > The only Local Group in Forest B which gives me most the rights I need
> > is the "BUILTIN\Administrators" group.
> >
> > This group does not have sufficient rights to have full access to every
> > GPO.
> >
> > Apart from the Forest B Domain Admins, there is no way to get full
> > rights over every GPO ever created in Forest B using a Forest A User
> > Account.
> >
> > All I can think of is hacking the schema.
> > I would be extremely grateful for any input.
> >
> > Thanks,
> >
> > Blake.
> >
| 
XML Sitemap