Search for previous posts

Blog History

January 7, 2021

Cross forest Domain Admins GPO

This process will enable the Domain Admins group from one forest to get added to the local Administrators group on servers in another forest with a one way, external forest trust in place.

Here is a basic breakdown [1]:

  • Domain Admins is a Global Group and thus confined to their own domain, so you must nest them inside of a Domain LOCAL group inside of the target forest.
  • Universal groups are used to consolidate groups that span domains inside of a forest, and in my use case, my domain is intentionally in another forest as I want the domains to stay divided.
  • Global groups may contain accounts and other global groups from the SAME domain.
  • Domain local groups may contain accounts, global groups, universal groups from ANY trusted domain, as well as domain local groups from the same domain.

The order of this nesting concept is AGDLP [2]: Account > Global(domain1) > Domain Local(domain2) > Permission.

This new group, in my example is "Group-Server-Admins". Once this is done, we can now create the GPO to push to the target domain's servers local Administrators group. I have applied this at the domain root as I want all of domain1's Domain Admins group to have local Administrator access on domain2's servers.

Path as follows: Computer>Preferences>Control Panel>Local Users and Groups


 

 

 

 

References:

[1] https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups 

[2] https://en.wikipedia.org/wiki/AGDLP

 

No comments:

Post a Comment