I have 1 primary domain and 3 child domains.<\/p>\n
contoso.com\nasia.contoso.com\neurope.contoso.com\ncorp.contoso.com\n<\/code><\/pre>\n
Advertisement
I want to add a user from the contoso.com<\/a> domain to the Domain Admins group in the asia.contoso.com<\/a> domain. I understand that this is not possible by default, but is there a workaround?<\/p>\n
Advertisement
My goal is to allow team members to use a single set of credentials from the primary domain to manage Active Directory users and computers in the child domains — without granting them Enterprise Admin rights.<\/p>","upvoteCount":6,"answerCount":6,"datePublished":"2025-07-10T10:10:45.709Z","author":{"@type":"Person","name":"abrarali","url":"https://community.spiceworks.com/u/abrarali"},"suggestedAnswer":[{"@type":"Answer","text":"
I have 1 primary domain and 3 child domains.<\/p>\n
contoso.com\nasia.contoso.com\neurope.contoso.com\ncorp.contoso.com\n<\/code><\/pre>\nI want to add a user from the contoso.com<\/a> domain to the Domain Admins group in the asia.contoso.com<\/a> domain. I understand that this is not possible by default, but is there a workaround?<\/p>\nMy goal is to allow team members to use a single set of credentials from the primary domain to manage Active Directory users and computers in the child domains — without granting them Enterprise Admin rights.<\/p>","upvoteCount":6,"datePublished":"2025-07-10T10:10:45.773Z","url":"https://community.spiceworks.com/t/active-directory/1222661/1","author":{"@type":"Person","name":"abrarali","url":"https://community.spiceworks.com/u/abrarali"}},{"@type":"Answer","text":"
I am trying to reply, but current getting an error<\/p>\n
Your topic title could be a little more descript.<\/p>\n
As for your scenario.<\/p>\n
Create a Universal Group in the Forest Root Domain<\/p>\n
In contoso.com<\/code>, create a Universal Security Group (e.g., Asia AD Admins<\/code>).
\nAdd your contoso.com<\/code> users to this group.<\/p>\nCreate a Domain-Local Group in the Child Domain<\/p>\n
In asia.contoso.com<\/code>, create a Domain Local Security Group (e.g., Asia Domain Admins Proxy<\/code>).
\nAdd the Universal Group (Asia AD Admins<\/code>) from contoso.com<\/code> to this Domain Local Group.<\/p>\nAdd the Proxy Group to the Domain Admins Group<\/p>\n
Add Asia Domain Admins Proxy<\/code> to the Domain Admins<\/code> group in asia.contoso.com<\/code>.<\/p>\nI have no way to test this, so please try this at your own discretion, it should work, but I don’t use or have access to child domains to test.<\/p>\n
Child domains are also not recommended these days, segregation via OU and delegated control is the new way to do this, then you don’t have the issues you see now.<\/p>","upvoteCount":2,"datePublished":"2025-07-10T10:37:24.125Z","url":"https://community.spiceworks.com/t/active-directory/1222661/2","author":{"@type":"Person","name":"Rod-IT","url":"https://community.spiceworks.com/u/Rod-IT"}},{"@type":"Answer","text":"
Thanks for the reply Rod. I have tested it and it appears that the proxy group (Domain-Local) cannot be added into the Domain Admin group in Asia domain.<\/p>","upvoteCount":1,"datePublished":"2025-07-10T10:51:43.701Z","url":"https://community.spiceworks.com/t/active-directory/1222661/3","author":{"@type":"Person","name":"abrarali","url":"https://community.spiceworks.com/u/abrarali"}},{"@type":"Answer","text":"
If it doesn’t work, there is no other workaround, they’ll either need to use separate accounts or an EA account.<\/p>\n
Personally I would opt for specific accounts per domain, that way their login denotes which domain they are working on.<\/p>\n
AS-username
\nEU-username
\nCorp-username<\/p>\n
DA-username<\/p>\n
As examples.<\/p>\n
Note that the groups need to be universal, not domain local, unless specified.<\/p>","upvoteCount":1,"datePublished":"2025-07-10T11:05:54.648Z","url":"https://community.spiceworks.com/t/active-directory/1222661/4","author":{"@type":"Person","name":"Rod-IT","url":"https://community.spiceworks.com/u/Rod-IT"}},{"@type":"Answer","text":"
You need to create users/groups going forward as Universal (group scope). You can go back and modify existing groups.<\/p>","upvoteCount":0,"datePublished":"2025-07-10T15:28:04.536Z","url":"https://community.spiceworks.com/t/active-directory/1222661/5","author":{"@type":"Person","name":"Jay-Updegrove","url":"https://community.spiceworks.com/u/Jay-Updegrove"}},{"@type":"Answer","text":"
Ahh, you beat me to it!<\/p>","upvoteCount":1,"datePublished":"2025-07-10T15:28:18.812Z","url":"https://community.spiceworks.com/t/active-directory/1222661/6","author":{"@type":"Person","name":"Jay-Updegrove","url":"https://community.spiceworks.com/u/Jay-Updegrove"}}]}}