I have 1 primary domain and 3 child domains.

contoso.com
asia.contoso.com
europe.contoso.com
corp.contoso.com

I want to add a user from the contoso.com domain to the Domain Admins group in the asia.contoso.com domain. I understand that this is not possible by default, but is there a workaround?

My goal is to allow team members to use a single set of credentials from the primary domain to manage Active Directory users and computers in the child domains — without granting them Enterprise Admin rights.

6 Spice ups

I am trying to reply, but current getting an error

Your topic title could be a little more descript.

As for your scenario.

Create a Universal Group in the Forest Root Domain

In contoso.com, create a Universal Security Group (e.g., Asia AD Admins).
Add your contoso.com users to this group.

Create a Domain-Local Group in the Child Domain

In asia.contoso.com, create a Domain Local Security Group (e.g., Asia Domain Admins Proxy).
Add the Universal Group (Asia AD Admins) from contoso.com to this Domain Local Group.

Add the Proxy Group to the Domain Admins Group

Add Asia Domain Admins Proxy to the Domain Admins group in asia.contoso.com.

I have no way to test this, so please try this at your own discretion, it should work, but I don’t use or have access to child domains to test.

Child domains are also not recommended these days, segregation via OU and delegated control is the new way to do this, then you don’t have the issues you see now.

2 Spice ups

Thanks for the reply Rod. I have tested it and it appears that the proxy group (Domain-Local) cannot be added into the Domain Admin group in Asia domain.

1 Spice up

If it doesn’t work, there is no other workaround, they’ll either need to use separate accounts or an EA account.

Personally I would opt for specific accounts per domain, that way their login denotes which domain they are working on.

AS-username
EU-username
Corp-username

DA-username

As examples.

Note that the groups need to be universal, not domain local, unless specified.

1 Spice up

You need to create users/groups going forward as Universal (group scope). You can go back and modify existing groups.

Ahh, you beat me to it!

1 Spice up