What is the right way to delegate domain admin rights in a subdomain to a group of administrators in the root domain?

...we build up a subdomain (eg. sub.scs.local) within a rootdomain (eg. scs.local). There is a group of administrators in the root domain which should be added to the group of domain admins in the subdomain.  The domain admin group is a global group, so I am not able to add anyone from outside the domain...
Waht is the easiest way to handle with this?
Who is Participating?
LauraEHunterMVPConnect With a Mentor Commented:
Define what rights you want to delegate to these folks.

Create a Universal Group in Domain B containing the users in Domain A.  
Use the Delegation of Authority Wizard within AD to delegate rights within AD, and add the UG to any relevant domain local groups.
Heres one thing you can do -

Create a Universal Group, then delegate the permissions to it.

Universal groups are available in 2003 mode only.  If you are running in mixed mode, you can change your funcational level by going to Active Directory Users and Computers, selecting the domain, right click and choose "Change domain functional level"

Select 2003 Native mode.  In 2003 mode, you will not be able to have NT4 domain controllers.
See if this works:


1.  Make a universal group in child domain containing domain admins of parent domain
2.  Add universal group to child domain domain admins group
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Are you sure about that one, Steve?  Domain Admins is a global group, which  means that it will only accept members from within the same domain.  (That's why this question is always trick, because you'd think that you should be able to nest groups from another domain into the DA group, but b/c it's a global group, you can't.)
That is why the universal group is created in the same domain as the Domain Admins group you are editing.  I haven't tried it myself, but I believe it may work since the group is a universal group.
It's the other way around, unfortunately.  You can put a GG into a UG, but not a UG into a GG.  This is because of the scope of the global group, since putting a UG into a GG could potentially violate that: a UG in DomainA could potentially contain users from DomainB, which would violate the scope of the GG if you nested that way.

If you've got Exchange running, try putting the Exchange Full Admins group (A UG) into your Domain Admins group.  ADUC won't let you do it, and a command-line tool like admod will give you a constraint violation.
Alexander_SchwarzAuthor Commented:
...so now I know what does not work, but what works?
All Courses

From novice to tech pro — start learning today.