What is the right way to delegate domain admin rights in a subdomain to a group of administrators in the root domain?

...we build up a subdomain (eg. sub.scs.local) within a rootdomain (eg. scs.local). There is a group of administrators in the root domain which should be added to the group of domain admins in the subdomain.  The domain admin group is a global group, so I am not able to add anyone from outside the domain...
Waht is the easiest way to handle with this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Heres one thing you can do -

Create a Universal Group, then delegate the permissions to it.

Universal groups are available in 2003 mode only.  If you are running in mixed mode, you can change your funcational level by going to Active Directory Users and Computers, selecting the domain, right click and choose "Change domain functional level"

Select 2003 Native mode.  In 2003 mode, you will not be able to have NT4 domain controllers.
See if this works:


1.  Make a universal group in child domain containing domain admins of parent domain
2.  Add universal group to child domain domain admins group
Are you sure about that one, Steve?  Domain Admins is a global group, which  means that it will only accept members from within the same domain.  (That's why this question is always trick, because you'd think that you should be able to nest groups from another domain into the DA group, but b/c it's a global group, you can't.)
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

That is why the universal group is created in the same domain as the Domain Admins group you are editing.  I haven't tried it myself, but I believe it may work since the group is a universal group.
It's the other way around, unfortunately.  You can put a GG into a UG, but not a UG into a GG.  This is because of the scope of the global group, since putting a UG into a GG could potentially violate that: a UG in DomainA could potentially contain users from DomainB, which would violate the scope of the GG if you nested that way.

If you've got Exchange running, try putting the Exchange Full Admins group (A UG) into your Domain Admins group.  ADUC won't let you do it, and a command-line tool like admod will give you a constraint violation.
Alexander_SchwarzAuthor Commented:
...so now I know what does not work, but what works?
Define what rights you want to delegate to these folks.

Create a Universal Group in Domain B containing the users in Domain A.  
Use the Delegation of Authority Wizard within AD to delegate rights within AD, and add the UG to any relevant domain local groups.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.