Active Directory Domain Admin Rights

i would say that it depends on the trust relationship between the domains , ie if there one way or two way , that would result in who has what permissions over whos domain. this would be combined with a policy or two

i also think that domain admins don't have administrative access in other trusted domains, be it 1- or 2-way trust.
but i think that there is a problem (read: security hole) when it comes to SIDs. the admin of a trusted domain could create a group with a SID in his domain that is equal to an administrative group in the trusting domain and add himself to this group so that this SID is being transmitted when he logs on to the other domain (or this SID needs to be added to the historical groups or sth., not sure at this point). use "SID filtering" to prevent this. maybe someone has a handy link for this and/or correct me if i'm wrong.


.alx