Allow administrator from external domain read access to my domain

Hi,

I'm want to allow an admin from an external domain access my active
directory so they can add a Global Security group from this domain
(DomainA) to the access control list of a share on the external domain
(DomainB). I want the admin in the external domain to only have Read
Access to this domain so giving the external Admin the password to an
administrator account on this domain is not going to work. So my
question is, when creating a user ID for the external admin to use,
what rights should I grant him to allow him read access to this domain
such that he can pull down groups from DomainA to be added to ACL's on
DomainB

Configuration:
Both domains are in completely seperate Windows 2003 Forests
There is a 1 way non transitive external trust from DomainA to DomainB
(i.e. the external domain trusts this domain but not the other way
round)

Thanks in advance for any advise

Paul

"PMC1" <(E-Mail Removed)> wrote in message
news:e7a94128-3b30-42a7-946d-(E-Mail Removed)...
> Hi,
>
> I'm want to allow an admin from an external domain access my active
> directory so they can add a Global Security group from this domain
> (DomainA) to the access control list of a share on the external domain
> (DomainB). I want the admin in the external domain to only have Read
> Access to this domain so giving the external Admin the password to an
> administrator account on this domain is not going to work. So my
> question is, when creating a user ID for the external admin to use,
> what rights should I grant him to allow him read access to this domain
> such that he can pull down groups from DomainA to be added to ACL's on
> DomainB
>
> Configuration:
> Both domains are in completely seperate Windows 2003 Forests
> There is a 1 way non transitive external trust from DomainA to DomainB
> (i.e. the external domain trusts this domain but not the other way
> round)
>
> Thanks in advance for any advise
>
> Paul

Since the trust is already in place, has B's admin simply tried to add a
user or group from A's domain to the resource?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Hello,

put the groups you want to delegate in an OU, and give him the rights to
manage these groups through dsa.msc.

Of course, domain admins group & others mustn't be in this OU (they are
in OU Users by default)

PLEASE DO NOT MULTIPOST IN NEWSGROUPS. THANKS

Cordialement,
Mathieu CHATEAU
french blog: http://www.lotp.fr
english blog: http://lordoftheping.blogspot.com


PMC1 a écrit :
> Hi,
>
> I'm want to allow an admin from an external domain access my active
> directory so they can add a Global Security group from this domain
> (DomainA) to the access control list of a share on the external domain
> (DomainB). I want the admin in the external domain to only have Read
> Access to this domain so giving the external Admin the password to an
> administrator account on this domain is not going to work. So my
> question is, when creating a user ID for the external admin to use,
> what rights should I grant him to allow him read access to this domain
> such that he can pull down groups from DomainA to be added to ACL's on
> DomainB
>
> Configuration:
> Both domains are in completely seperate Windows 2003 Forests
> There is a 1 way non transitive external trust from DomainA to DomainB
> (i.e. the external domain trusts this domain but not the other way
> round)
>
> Thanks in advance for any advise
>
> Paul