This is the second part of my earlier article Adding user to domain administrators from another cross domain - Part 1 where I setup cross domain trust and added cross domain user to AD administrators group for management purpose. After getting access over acquired company Active Directory domain controllers, I wanted to get access of few member Servers for management.
In the Active Directory users and computers I have created a group Server_Admins, with group scope Domain Local and Group type as usual default one Security, I have added a user to this group from another domain.
Adding user to domain administrators from another cross domain - Part 1
Adding active directory group to computer local administrator Group using Group Policy Object - Part 2
Next for better management purpose I have already a OU organizational unit where computer account object resides, I need administrator access on these computers.
Open Group Policy Management tool. Expand Forest > Domains > Group Policy Objects, right click, and press New.
This creates a New GPO, I named it Administrator_From_Another_Domain.
Once press Ok button, it will be show in under Group Policy Objects, it is empty at the moment and there no settings in it.
GPO will open in Group policy management editor, Expand Computer Configuration > Policies > Windows Settings > Security Settings > Right click Restricted Groups, Select Add Group, Browse for the group, Select the group created earlier, check names and click OK twice.
There will be a new group name shown under Restricted Groups now, select the add button from this group is a member of. Browse the group membership, Select the Administrators name (This will represent as local computer group).
This group policy object configuration is completed, close the Group policy management editor, which will save settings.
New created GPO has the settings now. Right click the OU where it wants link, right click and press Link an Existing GPO, select the GPO from the list, and click OK.
Linking can be seen on OU, Configuration is completed.
Generally it take 90 minutes, to reflect the settings on computers. I can verify the same in local users and group Administrators properties.
If you don't want to wait, you can reboot server to get the settings immediately, to avoid reboot instead run gpupdate /force command on command prompt (Make sure you open CMD as administrator to apply computer policy).
To verify policies are coming from group policy server I can verify the same using command gpresult /h report.html & start report.html. Policy is the winning on as per screenshot.
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE (CHANGE) MANAGER NAME IN ORGANIZATION TAB OF USER
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE PROXYADDRESSES IN USER PROPERTIES ATTRIBUTE EDITOR
Powershell one liner: Create multiple user accounts
Active Directory Powershell: Create bulk users from CSV file
This post first appeared on Tales From Real IT System Administrators World And Non-production Environment, please read the originial post: here