Cross-forest administration

[Guest PedroAsani]

I'm having trouble finding the information I need, I suspect mainly because

what I am trying to do violates a basic security principle, but the business

case for doing so is valid.

 

I am working for a company that buys and sells companies. They have their

own sysadmin team that do all the admin for all the companies [ForestA].

 

They want to be able to sell off the companies with as little hassle as

possible, so each one has their own Forest, the idea being that all we would

need to do is give the new owners the passwords, unhook the Trusts, and we

would be done. [ForestB, ForestC etc]

 

The Trusts are in place, but we want to be able to make an account in

ForestA have Enterprise Admin, Schema Admin etc in the other Forests. No user

accounts will exist in the Forests for administration (IT directors policy)

 

The IT Staff have a Universal group in ForestA, and a domain local group in

ForestB. In order to have the equivalent permissions as (a) the Enterprise

Admin, (b) Schema Admin, and © Group Policy Creator Owner.