Access Denied: Administering All Domains in a Forest
Learn what group to use when your responsibilities include managing an entire forest.
May 11, 2003
I manage my company's forest, and I'd like to put my user account in the Domain Admins group of each of the forest's three domains. When I go to the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on a domain controller (DC), right-click Users, select Properties, then click the Members tab and the Add button, I get a list of the domains in the forest. However, I can't see accounts in any of the other domains, and I get the error No objects are available in this location. Select another location. Apparently, I can't add my account to a Domain Admins group unless the account resides in the same domain as the group. Is that correct?
That's correct. Domain Admins is a global group. Although you can grant global groups access to resources anywhere in the forest, global groups can contain as members only users and other global groups from the same domain. In contrast, universal groups can have access to anything in the forest, and members of universal groups can be from any domain in the forest. However, universal groups have a bigger replication impact than do global groups because universal groups must be replicated to every Global Catalog (GC) server in the forest. Domain local groups can have as members users and global groups from anywhere in the forest but can have permissions only on computers that are in the local domain. Machine local groups (which you define in the MMC Computer Management snap-in under Local Users and Groups) can also hold users and groups from anywhere in the forest but can have access only to objects on the local computer.
To administer the entire forest, add your account to the Enterprise Administrators group. This group has full control throughout the forest.
About the Author
You May Also Like