Granting Domain Admin privileges to a cross-forest user account?

windows permissions groups active-directory

What I've discovered, that I'm hoping someone else can beat (by having these rights applies to existing objects) is:

  1. Establish proper DNS communication between the two forests.
    • In my case, this required a DNS delegation zone and properly configured conditional forwarders.
  2. Create a two-way, forest trust with forest-wide authentication.
  3. Add the Domain Admins@OneForest group to the Builtin\Adminstrators@OtherForest group.
    • This effectively grants user-level privileges on OtherForest domain computers, and administrative privileges on the domain controllers for OtherForest.
  4. Create a domain-local group in OtherForest and add the Domain Admins@OneForest group to it as members.
  5. Create a GPO/GPP to add the group created in step 4 to the local administrators group on all your domain computers.
    • Image of the above GPP

Related

400 Error with nginx-ingress to Kubernetes Dashboard
Can bonding 2 interfaces double the speed?
How can I backup a SQL Server 2008 R2 DB without taking it offline?
Installing multiple mongoDB versions on the same server
moving to a larger drive in linux
Why there shouldn't be too many files in one directory that serves just static web requests?
How do I donate obsolete or surplus computers?
Debian 6.0 AD integration
Apache/PHP appears to be caching symbolic links for 60 seconds - how to stop it, or discover what is really caching the symlinks and stop that?
Refuse to send email to specific recipients with Postfix
Minecraft DNS SRV record correct setup
AWS:EC2:: Could not connect FTP client?