Guest PedroAsani Posted November 29, 2007 Posted November 29, 2007 I'm having trouble finding the information I need, I suspect mainly because what I am trying to do violates a basic security principle, but the business case for doing so is valid. I am working for a company that buys and sells companies. They have their own sysadmin team that do all the admin for all the companies [ForestA]. They want to be able to sell off the companies with as little hassle as possible, so each one has their own Forest, the idea being that all we would need to do is give the new owners the passwords, unhook the Trusts, and we would be done. [ForestB, ForestC etc] The Trusts are in place, but we want to be able to make an account in ForestA have Enterprise Admin, Schema Admin etc in the other Forests. No user accounts will exist in the Forests for administration (IT directors policy) The IT Staff have a Universal group in ForestA, and a domain local group in ForestB. In order to have the equivalent permissions as (a) the Enterprise Admin, (b) Schema Admin, and © Group Policy Creator Owner.
Recommended Posts