We've got a subsidiary who have their own forest and IT team, there is a two way trust between the forests and we often add users to security groups from the each others domain.
Currently our service desk can add people from our domain to groups from the other domain via ADUC, but because we haven't added that domain to ARS they cannot use ARS.
I'd like to remove service desk access to ADUC so they can only use ARS, but I need to find a solution for letting them add people to groups from the other domain.
I know I can add the domain with and proxy/override account, my understanding is that account needs to be domain admin in the domain. I'd prefer not to have a domain admin account in that domain as we do not manage or own it. Can we provide a minimum set of permissions so that ARS can be used for updating group membership only?
