on an Active Directory domain D1, I'm creating specific groups to delegate some tasks. One of this specific groups is just member of "Domain Administrators" to give people all management powers.
IT administrator accounts will then be member of the specific group depending of the need.
These people need to administer multiple AD domains (D2, D3…), so I thought about the possibility to habilitate accounts from D1 on D2, D3…
I managed to make these habilitations for all delegation groups, except for Domain Administrators. This group in D2 or D3 is a "global" group and I can't make a universal group from another domain a member of it.
I know it's dependent of this idea of groups scope in Active Directory (see http://technet.microsoft.com/en-us/library/cc776499%28v=ws.10%29.aspx) but I wonder if someone has found a workaround to this problem.
update So, it's not posible, but using "BUILTIN\Administrators" and GPO/GPP, can I give these accounts the same power as "Domain Administrators"? or will they always have tasks that only a domain administrator could do?
Best Answer
You can't do what you're asking. Users from one domain can be added to the "Builtin\Administrators" group of another domain, which will allow them to manage all Domain Controllers in that domain, but this isn't the same as giving them Domain Admin, which provides implicit admin rights on all members of the domain.
This is typically accomplished in one of two ways:
Each admin has one Domain Admin account per domain that they must manage.
Their admin account from their "home" domain is added to the Builtin\Administrators group and is made a local admin on all domain members via GPO restricted groups of GPP group preferences.
As you've said, global groups can only contain security principals from their own domain and the Domain Admin's group scope cannot be altered.
To address your edits - they will have similar permissions to the Domain Admins group at that point.