|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Multiple Domain AdministrationI have a Forest with a Root domain and 9 child domains: What I want to accomplish is to log into the child domain with an account from the Root domain and administrate the child domains. I am currently an enterprise admin in the root domain and have no problems accessing the DC of the child domains through a Remote Desktop connection. The problem arises when I attempt to access the other member servers with a Remote Desktop Connection of one of the child domains. Windows 2000 servers will give me a "You do not have access to logon to this Session" error or "The Local Policy of this System Does Not Permit you to log on interactively" errors. I have placed a Global Group from the forest root domain into the built in Administrators and the Remote desktop groups of the Child domains and still get this error. Do I have to place this Global Group from the forest root domain into the local administrators group on each server? I ask this only because this is the only time this works as I expect it to. Or do I have to create an OU and move all of the servers into this OU and set Policies at this level. I am kind of leery about doing this due to the fact that we have a large Citrix installation and I would hate to lock all of the end users out (although that would make my job easier!! ;-) ) Long story short, is there a short and easy way I am overlooking? What is the easiest way to make this happen. As always Thanks in advance for your help I thnk that by default the domain admins are the ones with default access to
RDP connections. You might try adding the Enterprise Admins group to the Remote Desktop Users Group if you have 2003 servers, or if you have 2000 boxes, try adding Enterprise Admins to the permissions on the RDP connections in Terminal Services Manager. As an enterprise admin, you should be able to finesse the access - as you are thinking. Keep in mind that the Enterprise Admins group, while enormously powerful, is not included by default everywhere. Consequently you have to add it to the right places just like any other user group for many things. Just my thoughts 
Other interesting topics
How to create users using VBS from an Excel sheet.
ADAM Replication - 1 instance off issue New Site DC [WildPacket] ADAM multivalue limit Disabling a particular supported control in AD[AM] DC Issues ADAM and perfmon Cannot install W2003 admin pak on VS 2005 R2 instance Permissions to join machine to domain Xp firewall on if not in domain |
|||||||||||||||||||||||
